I'm using Google AppEngine to deploy a webapp and I've set my app.yaml like this:
handlers: - url: /assets static_dir: dist/assets - url: /dist static_dir: dist - url: /.* script: app.server.main.app secure: always login: required
When I open my app in Chrome Incognito mode, Flask handles the call to
/ and serve the file
index.html (no direct access to this file, which is not even in /assets nor /dist) and then all my static resources are served (the CSS, JS present in
index.html), and so some AJAX requests are performed too. Those AJAX requests will fail because of the
login: required in the yaml.
The error I get in the console:
XMLHttpRequest cannot load https://www.google.com/a/XXXXX/ServiceLogin?service=ah&passive=t…inue%3Dhttps://YYYYYY.appspot.com/gettoken. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://YYYYYY.appspot.com' is therefore not allowed access.
Why are those resources served in a first time ? Accessing '/' of my app should require the login first, and then serve them.
 My first post was unclear about how
index.html is accessed
The reason your static files are served is due to the fact that they do not require login. Please note that login is only required for
/.* pattern and has no effect on other patterns, and
Patterns are evaluated in the order they appear in the app.yaml file, from top to bottom.
The following configuration, although not tested, should require login before serving the static files.
handlers: - url: /assets static_dir: dist/assets login: required - url: /dist static_dir: dist login: required - url: /.* script: app.server.main.app secure: always login: required