Address Copilot CORS review feedback

shuchenliu · shuchenliu · commit 6e9e52a0f734 · 2026-05-16T14:38:55.000-07:00
diff --git a/src/nodenorm/handlers/__init__.py b/src/nodenorm/handlers/__init__.py
@@ -4,16 +4,16 @@
 import tornado.web
 
 import nodenorm
-from nodenorm.handlers.conflations import ValidConflationsHandler
-from nodenorm.handlers.health import NodeNormHealthHandler
-from nodenorm.handlers.normalized_nodes import NormalizedNodesHandler
-from nodenorm.handlers.semantic_types import SemanticTypeHandler
-from nodenorm.handlers.set_identifiers import SetIdentifierHandler
-from nodenorm.handlers.version import VersionHandler
 
 
 def build_handlers() -> dict[str, tuple[str, Callable]]:
     """Generate our handler mapping for the nodenorm API."""
+    from nodenorm.handlers.conflations import ValidConflationsHandler
+    from nodenorm.handlers.health import NodeNormHealthHandler
+    from nodenorm.handlers.normalized_nodes import NormalizedNodesHandler
+    from nodenorm.handlers.semantic_types import SemanticTypeHandler
+    from nodenorm.handlers.set_identifiers import SetIdentifierHandler
+    from nodenorm.handlers.version import VersionHandler
 
     handler_collection = [
         (r"/get_allowed_conflations?", ValidConflationsHandler),
diff --git a/src/nodenorm/handlers/base.py b/src/nodenorm/handlers/base.py
@@ -6,6 +6,8 @@
 class NodeNormalizationBaseHandler(BaseHandler):
     """Base handler that keeps the lightweight BioThings handler plus CORS."""
 
+    cors_origin = "*"
+    cors_allow_credentials = "false"
     cors_methods = "GET, POST, HEAD, OPTIONS"
     cors_max_age = "600"
 
@@ -16,12 +18,11 @@ def set_default_headers(self):
 
         requested_headers = self.request.headers.get("Access-Control-Request-Headers")
 
-        self.set_header("Access-Control-Allow-Origin", origin)
-        self.set_header("Access-Control-Allow-Credentials", "true")
+        self.set_header("Access-Control-Allow-Origin", self.cors_origin)
+        self.set_header("Access-Control-Allow-Credentials", self.cors_allow_credentials)
         self.set_header("Access-Control-Allow-Methods", self.cors_methods)
         self.set_header("Access-Control-Allow-Headers", requested_headers or "*")
         self.set_header("Access-Control-Max-Age", self.cors_max_age)
-        self.set_header("Vary", "Origin")
 
     def options(self, *args, **kwargs):
         self.finish()
diff --git a/tests/test_cors.py b/tests/test_cors.py
@@ -1,22 +1,9 @@
-import importlib.util
-from pathlib import Path
-
 import tornado.web
 from tornado.testing import AsyncHTTPTestCase
 
+from nodenorm.handlers.base import NodeNormalizationBaseHandler
 
 ORIGIN = "https://translatorsri.github.io"
-BASE_HANDLER_PATH = Path(__file__).parents[1] / "src" / "nodenorm" / "handlers" / "base.py"
-
-
-def load_base_handler():
-    spec = importlib.util.spec_from_file_location("_nodenorm_base_handler_under_test", BASE_HANDLER_PATH)
-    module = importlib.util.module_from_spec(spec)
-    spec.loader.exec_module(module)
-    return module.NodeNormalizationBaseHandler
-
-
-NodeNormalizationBaseHandler = load_base_handler()
 
 
 class PreflightHandler(NodeNormalizationBaseHandler):
@@ -25,12 +12,11 @@ async def get(self):
 
 
 def assert_cors_headers(headers, allowed_headers="*"):
-    assert headers["Access-Control-Allow-Origin"] == ORIGIN
-    assert headers["Access-Control-Allow-Credentials"] == "true"
+    assert headers["Access-Control-Allow-Origin"] == "*"
+    assert headers["Access-Control-Allow-Credentials"] == "false"
     assert headers["Access-Control-Allow-Methods"] == "GET, POST, HEAD, OPTIONS"
     assert headers["Access-Control-Allow-Headers"] == allowed_headers
     assert headers["Access-Control-Max-Age"] == "600"
-    assert headers["Vary"] == "Origin"
 
 
 class TestCorsHeaders(AsyncHTTPTestCase):
