non-intuitive origin rejection behavior
sunomie opened this issue · comments
Firstly, thanks for this project.
Want to point out something that tripped me up for a good few hours tonight.
With a setting like:
CORS_ORIGIN_WHITELIST = (
'https://something.com',
'http://something.com',
)
If requests come in with an origin of something.com, they are are accepted (access-control-allow-origin set in response)
If requests come in with an origin of https://something.com or http://something.com', they are rejected (no access-control-allow-origin)
That latter behavior I was not at all expecting, as react web was sending the origin that way, and cors was getting rejected. Spent longer than I care to admit trying to find a fix, and it ended up throwing this at it and it worked:
With a setting like:
CORS_ORIGIN_WHITELIST = (
'http://something.com:',
'https://something.com:',
'http://something.com:443',
'https://something.com:80',
'something.com:443',
'something.com:80',
)
Weirdly, no two out of the above seemed to do it by itself (unless I gooned something up testing it).
Maybe this behavior is documented somewhere, but it was not intuitive to me. (Everything I found said that http:// and https:// allowed you to leave off the common ports 443 and 80.). This might not be a real bug ... but wanted to get it documented/searchable a bit to help the next person trying to find an answer. Thanks.
Are you on the latest version? Version 3 changed the behaviour to require schemes
"no two out of the above seemed to do it by itself" sounds like it's not a real bug.
I'm closing this for now but happy to investigatee if you can provide a failing test case.