No Access-Control-Allow-Origin in response headers ?

Question

No Access-Control-Allow-Origin in response headers ?

k8scat opened this issue 4 years ago · comments

My settings follow:

INSTALLED_APPS = [
    'corsheaders',
]

MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',  # at the top of all middlewares
]

CORS_ALLOW_METHODS = [
    'DELETE',
    'GET',
    'OPTIONS',
    'PATCH',
    'POST',
    'PUT',
]
CORS_ALLOW_HEADERS = [
    'accept',
    'accept-encoding',
    'authorization',
    'content-type',
    'dnt',
    'origin',
    'user-agent',
    'x-csrftoken',
    'x-requested-with'
]
CORS_ORIGIN_ALLOW_ALL = True

but I met CORB problem because of the miss of the Access-Control-Allow-Origin

Adam Johnson · Answer 1 · Thu Feb 27 2020 01:17:35 GMT+0800 (China Standard Time)

Please provide a demo application and the exact log message you're getting from which web browser.

K8sCat · Answer 2 · Thu Feb 27 2020 01:20:09 GMT+0800 (China Standard Time)

I test with postman, no ACAO header really

K8sCat · Answer 3 · Thu Feb 27 2020 01:21:47 GMT+0800 (China Standard Time)

I just wanna know that there will be the ACAO header after using django-cors-headers?

K8sCat · Answer 4 · Thu Feb 27 2020 01:29:56 GMT+0800 (China Standard Time)

Demo app:

# endpoint
def test(request):
    return JsonResponse(dict(code=200))

# urls.py
path('test/', test)

Finally, I write a middleware to add a ACAO header

XiaoMuIns · Answer 5 · Sat Mar 07 2020 23:17:26 GMT+0800 (China Standard Time)

what is your django version

Adam Johnson · Answer 6 · Sun Mar 08 2020 04:01:19 GMT+0800 (China Standard Time)

The ACAO header will only be sent if the Origin header is set. I think that's missing in your cas.e.

K8sCat · Answer 7 · Sun Mar 08 2020 04:09:27 GMT+0800 (China Standard Time)

The ACAO header will only be sent if the Origin header is set. I think that's missing in your cas.e.

That means I need to set the header Origin in the response?

K8sCat · Answer 8 · Sun Mar 08 2020 04:23:53 GMT+0800 (China Standard Time)

I means that I have set CORS_ORIGIN_ALLOW_ALL = True, why not add ACAO header in response automatically?

Adam Johnson · Answer 9 · Sun Mar 08 2020 19:00:39 GMT+0800 (China Standard Time)

Browsers send the Origin header in requests, which is what triggers CORS headers like ACAO being sent. Please read the articles listed here: https://github.com/adamchainz/django-cors-headers#about-cors

Alexis Bellido · Answer 10 · Fri Apr 24 2020 02:35:51 GMT+0800 (China Standard Time)

To make it even clearer, the Access-Control-Allow-Origin (ACAO) header will only show up if the request includes the Origin header.

For example,

curl -I -H "Origin: https://client.example.com" "https://api.example.com/"

boneyao · Answer 11 · Sat May 02 2020 12:33:04 GMT+0800 (China Standard Time)

Python 27
django-cors-headers==3.0.0
django=1.11

It's ok

use django-cors-headers==2.5.3, ACAO not in response headers.

Pavel Nedelchev · Answer 12 · Thu Feb 17 2022 23:00:01 GMT+0800 (China Standard Time)

Has anyone solved this issue?
I'm experiencing this problem randomly once every ~ 30 requests. Can't find any answer online that even gives me a clue what the problem is. I have tried multiple configurations of django-cors-headers based on their documentation, have tried updating the package, adding http/https of my origin in the whitelist, slash/noslash in the end. Nothing has worked so far. Tried on multiple browsers (chrome and firefox) and it happens on all of them.
Anyone have more up to date information on this?

Adam Johnson · Answer 13 · Fri Feb 18 2022 02:26:04 GMT+0800 (China Standard Time)

Please don't comment on old issues, also read all the resources because perhaps you missed something about CORS like the previous posters have.