Trouble with CORS appears to not work properly
JustDevZero opened this issue · comments
Hi,
I've got problems trying to use in a production enviroment.
I've had CORS_ORIGIN_ALLOW_ALL=True on settings, but still, regarless listing or not which urls we should apply on the regex, it denies the access with a X-Frame-Options: SAMEORIGIN
ubuntu@osiris:~$ curl --unix /tmp/client.sock http://localhost/en/ -I
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Tue, 14 May 2019 22:18:40 GMT
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Expires: Tue, 14 May 2019 22:19:40 GMT
Cache-Control: max-age=60
Vary: , Cookie, Origin
X-Frame-Options: SAMEORIGIN
Content-Length: 13215
Content-Language: en
Set-Cookie: django_language=en; expires=Wed, 13-May-2020 22:18:40 GMT; Max-Age=31536000; Path=/
Set-Cookie: sessionid=tonqgumb6r44vrp841ovjk5gpxlu8pjm; expires=Thu, 13-Jun-2019 22:18:40 GMT; HttpOnly; Max-Age=2592000; Path=/
ubuntu@osiris:~$ curl localhost:8000/en/ -I
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Expires: Tue, 14 May 2019 22:19:55 GMT
Cache-Control: max-age=60
Vary: , Cookie, Origin
X-Frame-Options: SAMEORIGIN
Content-Length: 13215
Content-Language: en
Set-Cookie: django_language=en; expires=Wed, 13-May-2020 22:18:55 GMT; Max-Age=31536000; Path=/
Set-Cookie: sessionid=k8w1f9cp6k40qtb3oi0zoxh0z5r0i8yg; expires=Thu, 13-Jun-2019 22:18:55 GMT; HttpOnly; Max-Age=2592000; Path=/
Any ideas? Any info you need, just please let me know about.
Thanks for everything!
X-Frame-Options: SAMEORIGIN
is a different header entirely. See the clickjackingn docs: https://docs.djangoproject.com/en/2.2/ref/clickjacking/ . You don't have any headers from CORS in your reuqests there because you aren't sending the Origin
header, which is only sent by browsers.
Thanks for pointing me into the right direction. Too many hours with other stuff and didn't notice that.
It's a shame X-Frame-Options is only supported on Firefox.
No worries
X-Frame-Options has great browser compatibility: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility / https://docs.djangoproject.com/en/2.2/ref/clickjacking/#limitations . Where did you see it's only on FF?