All geek questions in one place

Django Localhost CORS not working

I have a local Django setup as follows

Django Rest Framework localhost:8000

AngularJS frontend local apache running on http://localservername

I installed django-cors-headers and in my settings.py , I installed my

 CORS_ORIGIN_WHITELIST = ( 'http://localhost', 'localservername', 'http://localservername', '127.0.0.1' ) MIDDLEWARE_CLASSES = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', )

However, I get the error No 'Access-Control-Allow-Origin' header is present on the requested resource. whenever I remove any API that works with Rest Framework . If I set CORS_ORIGIN_ALLOW_ALL = True , then the API works correctly, but it is very unsafe for my server-side data.

What do I need to change to fix this?

+10
source share
3 answers

According to http://www.w3.org/Security/wiki/Same_Origin_Policy , requests must be from the same port, scheme, and host in order to be considered the same source. Here, one of your servers is located at port 80, and the other at 8080.

The origin is determined by the scheme, host, and port of the URL. Generally speaking, documents extracted from different sources are isolated from each other. For example, if a document extracted from http://example.com/doc.html is trying to access the DOM of a document extracted from https://example.com/target.html , the user agent will deny access because the origin of the first document (http , example.com, 80) does not match the beginning of the second document (https, example.com, 443).

+1
source

I had the same problem. django-cors-headers code, my error was as follows:

So far, the full CORS header looks like this (note the schema AND hostname):

 Access-Control-Allow-Origin: https://example.com

The value CORS_ORIGIN_WHITELIST requires it in a format that compares with urlparse.netloc ( docs ) Origin - a header that is only a host (possibly a port)

 def origin_found_in_white_lists(self, origin, url): return ( url.netloc in conf.CORS_ORIGIN_WHITELIST or (origin == 'null' and origin in conf.CORS_ORIGIN_WHITELIST) or self.regex_domain_match(origin) )

So far, the RegEx whitelist compares it to the full Origin -header.

Thus, the correct configuration (as the example in the configuration guide correctly sets, but incorrectly describes):

 CORS_ORIGIN_WHITELIST = ( 'example.com', )

What could be a problem if you do not want your API to talk to an insecure http version of the website. Use RegEx in this case.

Also note: during troubleshooting, it turned out that the CORS header is completely missing if no match is found. This means that the lack of a header is not a sure sign of a complete malfunction of the middleware, but perhaps just the wrong configuration.

+3
source

maybe braces matter [] instead of ()

CORS_ORIGIN_WHITELIST = [' http: // localhost ', 'Localservername', ' http: // localservername ', '127.0.0.1']

should work

0
source

Source: https://habr.com/ru/post/1240257/

More articles:


All Articles