Question: Why isn't a preflight being initiated?
SHxKM opened this issue · comments
Using Django REST as backend running at http://127.0.0.1:8000/
, with following relevant settings:
# .env
CORS_ORIGIN_WHITELIST=http://192.168.14.37:3000, http://192.168.14.37
CORS_ORIGIN_WHITELIST = config("CORS_ORIGIN_WHITELIST", cast=Csv())
CORS_ALLOW_CREDENTIALS = True
Frontend is obviously running on http://192.168.14.37:3000
in development.
Upon valid login credentials, username
and password
, I'm returning the response with a custom cookie:
response.set_cookie(
"yummy_cookie",
token,
expires=10 * 60 * 60,
httponly=True,
domain=config("FRONTEND_URL", cast=str),
samesite="lax",
)
return response
Everything is working fine. Except I'm expecting to see an OPTIONS
request, since I'm also doing this on the frontend (code omitted):
$axios.onRequest((config) => {
const cookieStr = process.client
? document.cookie
: req.headers.cookie
const cookies = Cookie.parse(cookieStr || '') || {}
let token = cookies.csrftoken
if (token) {
config.headers['X-CSRFToken'] = token
}
If I understand correctly, and I'm probably not, this should trigger a preflight request to my backend API. Shouldn't it? X-CSRFToken
isn't a standard header, nor is it on the exempt-list.
Everything is working just fine, but why am I not getting that extra request punishment? (not that I want it!)
Edit: After posting this question I realized it has little to do with django-cors-headers
. I'll close it soon but if someone has some insight that would save me a lot of questioning.
No idea, sorry. Do you see the header actually being sent? Also since you're pulling it from document.cookie
that implies to me your frontend isn't on a different domain and you don't actually need CORS?
Do you see the header actually being sent?
The header is being sent. It must be sent since I'm comparing the csrftoken
cookie value with the header's value, which is why I'm attaching the header in the first place.
Also since you're pulling it from document.cookie that implies to me your frontend isn't on a different domain and you don't actually need CORS?
I might have omitted too much code. I've brought the logic check back, but now I have a question:
Also since you're pulling it from document.cookie that implies to me your frontend isn't on a different domain and you don't actually need CORS?
A non-HttpOnly cookie is still fully accessible by JS, no? Django's CSRF token is not HttpOnly, by design.
I am most definitely running my backend from http://127.0.0.1:8000/
and frontend from http://192.168.14.37:3000
in my development machine, don't those count as different domains?
Hmmm, maybe the browser is somehow "detecting" these two "servers" are the same..? No idea by now.
That's unlikely. Sorry I don't have time to support this, but if you find the answer it's good to post it here so others can find through issue search, google, etc.
The answer is my frontend framework can allow proxying.
If you're using a server side proxy to talk to your API, you don't need CORS.