Question: Why isn't a preflight being initiated?

Question

Question: Why isn't a preflight being initiated?

SHxKM opened this issue 5 years ago · comments

Using Django REST as backend running at http://127.0.0.1:8000/, with following relevant settings:

# .env
CORS_ORIGIN_WHITELIST=http://192.168.14.37:3000, http://192.168.14.37

CORS_ORIGIN_WHITELIST = config("CORS_ORIGIN_WHITELIST", cast=Csv())
CORS_ALLOW_CREDENTIALS = True

Frontend is obviously running on http://192.168.14.37:3000 in development.

Upon valid login credentials, username and password, I'm returning the response with a custom cookie:

response.set_cookie(
            "yummy_cookie",
            token,
            expires=10 * 60 * 60,
            httponly=True,
            domain=config("FRONTEND_URL", cast=str),
            samesite="lax",
        )
        return response

Everything is working fine. Except I'm expecting to see an OPTIONS request, since I'm also doing this on the frontend (code omitted):

$axios.onRequest((config) => {
    const cookieStr = process.client
      ? document.cookie
      : req.headers.cookie
    const cookies = Cookie.parse(cookieStr || '') || {}
    let token = cookies.csrftoken
    if (token) {
      config.headers['X-CSRFToken'] = token
    }

If I understand correctly, and I'm probably not, this should trigger a preflight request to my backend API. Shouldn't it? X-CSRFToken isn't a standard header, nor is it on the exempt-list.

Everything is working just fine, but why am I not getting that extra request punishment? (not that I want it!)

Edit: After posting this question I realized it has little to do with django-cors-headers. I'll close it soon but if someone has some insight that would save me a lot of questioning.

Adam Johnson · Answer 1 · Wed Oct 16 2019 00:45:37 GMT+0800 (China Standard Time)

No idea, sorry. Do you see the header actually being sent? Also since you're pulling it from document.cookie that implies to me your frontend isn't on a different domain and you don't actually need CORS?

SHxKM · Answer 2 · Wed Oct 16 2019 00:49:09 GMT+0800 (China Standard Time)

Do you see the header actually being sent?

The header is being sent. It must be sent since I'm comparing the csrftoken cookie value with the header's value, which is why I'm attaching the header in the first place.

Also since you're pulling it from document.cookie that implies to me your frontend isn't on a different domain and you don't actually need CORS?

I might have omitted too much code. I've brought the logic check back, but now I have a question:

Also since you're pulling it from document.cookie that implies to me your frontend isn't on a different domain and you don't actually need CORS?

A non-HttpOnly cookie is still fully accessible by JS, no? Django's CSRF token is not HttpOnly, by design.

I am most definitely running my backend from http://127.0.0.1:8000/ and frontend from http://192.168.14.37:3000 in my development machine, don't those count as different domains?

SHxKM · Answer 3 · Wed Oct 16 2019 01:20:24 GMT+0800 (China Standard Time)

Hmmm, maybe the browser is somehow "detecting" these two "servers" are the same..? No idea by now.

Adam Johnson · Answer 4 · Wed Oct 16 2019 02:13:44 GMT+0800 (China Standard Time)

That's unlikely. Sorry I don't have time to support this, but if you find the answer it's good to post it here so others can find through issue search, google, etc.

SHxKM · Answer 5 · Wed Oct 16 2019 02:42:09 GMT+0800 (China Standard Time)

The answer is my frontend framework can allow proxying.

Adam Johnson · Answer 6 · Wed Oct 16 2019 02:49:37 GMT+0800 (China Standard Time)

If you're using a server side proxy to talk to your API, you don't need CORS.