Comments (6)
adamchainz
commented on August 19, 2024
1
Since Django 1.8 support will be dropped shortly, I don't want to include it in the library. Copying that snippet should be easy enough for most projects.
from django-cors-headers.
rvanlaar
commented on August 19, 2024
Using this SessionAuthentication class for DRF mitigates the problem.
Could this be included in cors-headers?
from corsheaders import defaults as settings
from corsheaders.middleware import (
CorsPostCsrfMiddleware, CorsMiddleware)
from rest_framework.authentication import (
SessionAuthentication as RFSessionAuthentication)
class PatchDepatchRefererCsrf(CorsMiddleware, CorsPostCsrfMiddleware):
"""
Helper class to provide access to _https_referer_replace
and _https_referer_replace_reverse.
"""
def patch(self, request):
if self.is_enabled(request) and settings.CORS_REPLACE_HTTPS_REFERER:
self._https_referer_replace(request)
def depatch(self, request):
self._https_referer_replace_reverse(request)
class SessionAuthentication(RFSessionAuthentication):
"""
SessionAuthentication that patchess the HTTP_REFERER before checking
CSRF and depatch it after checking it.
corsheaders supplies middleware but DRF doesn't use the middleware
when checking CSRF for itself. This creates a problem when using https.
"""
def enforce_csrf(self, request):
patch_depatch = PatchDepatchRefererCsrf()
patch_depatch.patch(request)
super(SessionAuthentication, self).enforce_csrf(request)
patch_depatch.depatch(request)from django-cors-headers.
adamchainz
commented on August 19, 2024
I'm sorry, I'm not familiar with the REST framework. Are you saying it bypasses the middleware stack entirely?
from django-cors-headers.
avorio
commented on August 19, 2024
Are you saying it bypasses the middleware stack entirely?
It looks like turning CORS_REPLACE_HTTPS_REFERER on has no effect on Django REST Framework. I was still getting errors relating to the HTTP referer not matching the original hostname.
from django-cors-headers.
adamchainz
commented on August 19, 2024
I think CORS_REPLACE_HTTPS_REFERER is only needed on Django 1.8, since CSRF_TRUSTED_ORIGINS can be used on 1.9+ (this is from re-reading the docs, I've forgotten how this feature ever worked). Does that setting work for your situation @avorio ?
from django-cors-headers.
avorio
commented on August 19, 2024
I think
CORS_REPLACE_HTTPS_REFERERis only needed on Django 1.8, sinceCSRF_TRUSTED_ORIGINScan be used on 1.9+ (this is from re-reading the docs, I've forgotten how this feature ever worked). Does that setting work for your situation @avorio ?
I am indeed using Django 1.8, so that feature would be great there. The problem is: it's not working as it is, so I ended up using something along the lines of @rvanlaar 's solution.
Could we bake that into the core django-cors-headers somehow?
from django-cors-headers.
Related Issues (20)
- On Django 4.1, HOT 1
- 'CORS Missing Allow Origin' response despite settings aligned to documentation and links HOT 6
- i stll see this erorr Access to font at 'https://fra1.digitaloceanspaces.com/ewan-space/ewan/static/admin/fonts/Roboto-Regular-webfont.woff' from origin 'http://127.0.0.1:9000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. HOT 1
- Allow to have a list of patterns for `CORS_URLS_REGEX` HOT 1
- Listing Origin, DNT, or Accept-Encoding as allowed request headers is never necessary HOT 1
- No "Access-Control-Allow-Origin" in response despite all being set properly HOT 19
- Access-Control-Allow-Credentials absent from response headers HOT 1
- Django CORS issue with VUE HOT 1
- Request is lacking Cookie, csrftoken, sessionid after hitting the back. HOT 2
- How to set Access-Control-Allow-Origin for "chrome-extension://*" HOT 1
- Access to XMLHttpRequest from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. HOT 1
- [help]Unable to set CORS headers after configuring the library HOT 6
- origin not in headers HOT 2
- Incompatible with Daphne under ASGI HOT 5
- check_request_enabled.send() should not be called from an async context HOT 2
- no "Access-Control-Allow-Origin" when open site from google HOT 4
- No "Access-Control-Allow-Origin" on fresh django project HOT 2
- CORS stop working on cloud editors like Gitpod HOT 1
- High Security Vulnerability on dependency (sqlparse version 0.4.4) with risk of Denial of Service HOT 1
- CSRF Errors with Cloudflare HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-cors-headers.