Why are CORS headers only partially implemented in Redash 8? Will this be fixed in Redash 9?

Issue Summary

We have been attempting to write a web application that uses the redash API and have been stymied by CORS errors. We have found that the REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN setting does not consistently affect the presence of CORS headers in the redash responses.

As we looked more closely, we found that the CORS headers are only provided as part of the query_result endpoint and not as part of any other endpoint in the redash API.

@arikfr, Why is CORS support only partially implemented in Redash v8? This seems like an egregious oversight. Are you planning to fix this in Redash v9?

Details

In redash/handlers/query_results.py we see this block of code

class QueryResultResource(BaseResource):
    @staticmethod
    def add_cors_headers(headers):
        if 'Origin' in request.headers:
            origin = request.headers['Origin']

            if set(['*', origin]) & settings.ACCESS_CONTROL_ALLOW_ORIGIN:
                headers['Access-Control-Allow-Origin'] = origin
                headers['Access-Control-Allow-Credentials'] = str(settings.ACCESS_CONTROL_ALLOW_CREDENTIALS).lower()

The variable settings.ACCESS_CONTROL_ALLOW_ORIGIN is populated based on the value of the environment variable REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN. This happens in settings/__init__.py.

# CORS settings for the Query Result API (and possbily future external APIs).
# In most cases all you need to do is set REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN
# to the calling domain (or domains in a comma separated list).
ACCESS_CONTROL_ALLOW_ORIGIN = set_from_string(os.environ.get("REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN", ""))

There are no other references to REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN or settings.ACCESS_CONTROL_ALLOW_ORIGIN anywhere else in the redash code base.

We have verified that if we access the query_results endpoint from our webapp running on a different host, the 2 CORS headers (Access-Control-Allow-*) are present in the responses we get from redash. For all other endpoints, these headers are not present. This obviously limits the usefulness of the Redash API.

This inquiry is related to an inquiry posted by my teammate…

Technical details:

  • Redash Version: v8
  • Browser/OS: chrome/firefox
  • How did you install Redash: We run redash as multiple containers from the provided redash Docker Images, either in Amazon ECS or on our workstations.
1 Like

@arikfr - is there any better way to communicate with Redash developers? The website points us here, but there doesn’t seem to be anyone working on these customer questions …

Are you a customer? If so you should have access to live chat inside the app. If you’re using the open source version then this forum is indeed the place. Just keep in mind that Redash is free software and the forum is a best effort service. I’m sure the Redash developers would review a pull request adding full CORS support.