Issue Summary
We have been attempting to write a web application that uses the redash API and have been stymied by CORS errors. We have found that the REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN
setting does not consistently affect the presence of CORS headers in the redash responses.
As we looked more closely, we found that the CORS headers are only provided as part of the query_result
endpoint and not as part of any other endpoint in the redash API.
@arikfr, Why is CORS support only partially implemented in Redash v8? This seems like an egregious oversight. Are you planning to fix this in Redash v9?
Details
In redash/handlers/query_results.py
we see this block of code
class QueryResultResource(BaseResource):
@staticmethod
def add_cors_headers(headers):
if 'Origin' in request.headers:
origin = request.headers['Origin']
if set(['*', origin]) & settings.ACCESS_CONTROL_ALLOW_ORIGIN:
headers['Access-Control-Allow-Origin'] = origin
headers['Access-Control-Allow-Credentials'] = str(settings.ACCESS_CONTROL_ALLOW_CREDENTIALS).lower()
The variable settings.ACCESS_CONTROL_ALLOW_ORIGIN
is populated based on the value of the environment variable REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN
. This happens in settings/__init__.py
.
# CORS settings for the Query Result API (and possbily future external APIs).
# In most cases all you need to do is set REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN
# to the calling domain (or domains in a comma separated list).
ACCESS_CONTROL_ALLOW_ORIGIN = set_from_string(os.environ.get("REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN", ""))
There are no other references to REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN
or settings.ACCESS_CONTROL_ALLOW_ORIGIN
anywhere else in the redash code base.
We have verified that if we access the query_results
endpoint from our webapp running on a different host, the 2 CORS headers (Access-Control-Allow-*
) are present in the responses we get from redash. For all other endpoints, these headers are not present. This obviously limits the usefulness of the Redash API.
This inquiry is related to an inquiry posted by my teammate…
Technical details:
- Redash Version: v8
- Browser/OS: chrome/firefox
- How did you install Redash: We run redash as multiple containers from the provided redash Docker Images, either in Amazon ECS or on our workstations.