No Access-Control-Allow-Origin in response headers ?
k8scat opened this issue · comments
My settings follow:
INSTALLED_APPS = [
'corsheaders',
]
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware', # at the top of all middlewares
]
CORS_ALLOW_METHODS = [
'DELETE',
'GET',
'OPTIONS',
'PATCH',
'POST',
'PUT',
]
CORS_ALLOW_HEADERS = [
'accept',
'accept-encoding',
'authorization',
'content-type',
'dnt',
'origin',
'user-agent',
'x-csrftoken',
'x-requested-with'
]
CORS_ORIGIN_ALLOW_ALL = True
but I met CORB
problem because of the miss of the Access-Control-Allow-Origin
Please provide a demo application and the exact log message you're getting from which web browser.
I test with postman
, no ACAO
header really
I just wanna know that there will be the ACAO
header after using django-cors-headers
?
what is your django version
The ACAO header will only be sent if the Origin
header is set. I think that's missing in your cas.e.
The ACAO header will only be sent if the
Origin
header is set. I think that's missing in your cas.e.
That means I need to set the header Origin
in the response?
I means that I have set CORS_ORIGIN_ALLOW_ALL = True
, why not add ACAO header in response automatically?
Browsers send the Origin
header in requests, which is what triggers CORS headers like ACAO being sent. Please read the articles listed here: https://github.com/adamchainz/django-cors-headers#about-cors
To make it even clearer, the Access-Control-Allow-Origin (ACAO) header will only show up if the request includes the Origin
header.
For example,
curl -I -H "Origin: https://client.example.com" "https://api.example.com/"
Python 27
django-cors-headers==3.0.0
django=1.11
It's ok
use django-cors-headers==2.5.3, ACAO not in response headers.
Has anyone solved this issue?
I'm experiencing this problem randomly once every ~ 30 requests. Can't find any answer online that even gives me a clue what the problem is. I have tried multiple configurations of django-cors-headers based on their documentation, have tried updating the package, adding http/https of my origin in the whitelist, slash/noslash in the end. Nothing has worked so far. Tried on multiple browsers (chrome and firefox) and it happens on all of them.
Anyone have more up to date information on this?
Please don't comment on old issues, also read all the resources because perhaps you missed something about CORS like the previous posters have.