Cors headers are not added, when `origin` is not present in header
max-wittig opened this issue · comments
Max Wittig commented
Maybe I don't understand something correctly, but I'm not sure why it's required to set the origin
header for CORS
headers to show up at all. It's set by the user and cannot be trusted anyway. Why is it required to be in the header?
CORS_URLS_REGEX = r'/api/.*$'
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
CORS_REPLACE_HTTPS_REFERER = True
from corsheaders.defaults import default_headers
CORS_ALLOW_HEADERS = default_headers + (
'Credential-Token',
)
With origin
header:
Without origin
header:
Any string can be send as origin:
Adam Johnson commented
Yes it’s user controlled. CORS only applies in the browser context to avoid accidental cross domain information leakage. The linked articles in the README cover this better than I can summarise here I’m afraid.