我用的是烧瓶-0.10.1，而HTTP_ORIGIN似乎是这个object的吸引物之一

flask.request.environ

以下是我在处理请求时从print flask.request.environ获得的信息：

{
  "wsgi.multiprocess": false,
  "HTTP_REFERER": "http://www.freemerce.com/product/77104116",
  "SERVER_SOFTWARE": "Werkzeug/0.9.6",
  "SCRIPT_NAME": "",
  "REQUEST_METHOD": "GET",
  "PATH_INFO": "/prod/sync_req",
  "HTTP_ORIGIN": "http://www.freemerce.com",
  "SERVER_PROTOCOL": "HTTP/1.1",
  "QUERY_STRING": "",
  "werkzeug.server.shutdown": "<function shutdown_server at 0x4060e60>",
  "CONTENT_LENGTH": "",
  "HTTP_USER_AGENT": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36",
  "HTTP_CONNECTION": "keep-alive",
  "SERVER_NAME": "0.0.0.0",
  "REMOTE_PORT": 53690,
  "wsgi.url_scheme": "http",
  "SERVER_PORT": "80",
  "werkzeug.request": "<Request http://192.168.0.10/prod/sync_req [GET]>",
  "wsgi.input": "<socket._fileobject object at 0x405e1d0>",
  "HTTP_DNT": "1",
  "HTTP_HOST": "192.168.0.10:80",
  "wsgi.multithread": false,
  "HTTP_ACCEPT": "*/*",
  "HTTP_RA_SID": "DB52333D-20140914-070803-53c316-5f3242",
  "wsgi.version": "(1, 0)",
  "wsgi.run_once": false,
  "HTTP_RA_VER": "2.8.7",
  "wsgi.errors": "<open file <stderr>, mode 'w' at 0x7f57d074c270>",
  "REMOTE_ADDR": "192.168.0.131",
  "HTTP_ACCEPT_LANGUAGE": "en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,ja;q=0.2,zh-TW;q=0.2",
  "CONTENT_TYPE": "",
  "HTTP_ACCEPT_ENCODING": "gzip, deflate, sdch"
}

这会给你答案的

from flask import request
...
if request.environ['HTTP_ORIGIN'] is not None:
    print request.environ['HTTP_ORIGIN']

以下是示例：

from flask import request
...
allow_origin_list = ['https://example.com', 'http://example.com']

if 'HTTP_ORIGIN' in request.environ and request.environ['HTTP_ORIGIN']  in allow_origin_list:
    response.headers.add('Access-Control-Allow-Origin', request.environ['HTTP_ORIGIN'] )
    response.headers.add('Access-Control-Allow-Headers', 'access-control-allow-origin,content-type')
    response.headers.add('Access-Control-Allow-Methods', 'GET,POST')