Trouble with CORS appears to not work properly

Question

Trouble with CORS appears to not work properly

JustDevZero opened this issue 5 years ago · comments

Hi,

I've got problems trying to use in a production enviroment.

I've had CORS_ORIGIN_ALLOW_ALL=True on settings, but still, regarless listing or not which urls we should apply on the regex, it denies the access with a X-Frame-Options: SAMEORIGIN

ubuntu@osiris:~$ curl --unix /tmp/client.sock http://localhost/en/ -I
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Tue, 14 May 2019 22:18:40 GMT
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Expires: Tue, 14 May 2019 22:19:40 GMT
Cache-Control: max-age=60
Vary: , Cookie, Origin
X-Frame-Options: SAMEORIGIN
Content-Length: 13215
Content-Language: en
Set-Cookie: django_language=en; expires=Wed, 13-May-2020 22:18:40 GMT; Max-Age=31536000; Path=/
Set-Cookie: sessionid=tonqgumb6r44vrp841ovjk5gpxlu8pjm; expires=Thu, 13-Jun-2019 22:18:40 GMT; HttpOnly; Max-Age=2592000; Path=/

ubuntu@osiris:~$ curl localhost:8000/en/ -I
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Expires: Tue, 14 May 2019 22:19:55 GMT
Cache-Control: max-age=60
Vary: , Cookie, Origin
X-Frame-Options: SAMEORIGIN
Content-Length: 13215
Content-Language: en
Set-Cookie: django_language=en; expires=Wed, 13-May-2020 22:18:55 GMT; Max-Age=31536000; Path=/
Set-Cookie: sessionid=k8w1f9cp6k40qtb3oi0zoxh0z5r0i8yg; expires=Thu, 13-Jun-2019 22:18:55 GMT; HttpOnly; Max-Age=2592000; Path=/

Any ideas? Any info you need, just please let me know about.

Thanks for everything!

Adam Johnson · Answer 1 · Wed May 15 2019 06:37:45 GMT+0800 (China Standard Time)

X-Frame-Options: SAMEORIGIN is a different header entirely. See the clickjackingn docs: https://docs.djangoproject.com/en/2.2/ref/clickjacking/ . You don't have any headers from CORS in your reuqests there because you aren't sending the Origin header, which is only sent by browsers.

Daniel Ripoll · Answer 2 · Thu May 16 2019 03:23:40 GMT+0800 (China Standard Time)

Thanks for pointing me into the right direction. Too many hours with other stuff and didn't notice that.

It's a shame X-Frame-Options is only supported on Firefox.

Adam Johnson · Answer 3 · Thu May 16 2019 05:54:58 GMT+0800 (China Standard Time)

No worries

X-Frame-Options has great browser compatibility: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility / https://docs.djangoproject.com/en/2.2/ref/clickjacking/#limitations . Where did you see it's only on FF?

Daniel Ripoll · Answer 4 · Thu May 16 2019 07:56:23 GMT+0800 (China Standard Time)

The lines about the ALLOW-FROM which was, ironically what could suit best. El mié., 15 may. 2019 23:55, Adam Johnson <notifications@github.com> escribió:

…

No worries X-Frame-Options has great browser compatibility: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility / https://docs.djangoproject.com/en/2.2/ref/clickjacking/#limitations . Where did you see it's only on FF? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#411>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABKFV3AOFUSDFR3YXSG4QDPVSBDLANCNFSM4HM6EIJA> .