Cannot POST files using `CORS_ALLOW_CREDENTIALS = True` and `CORS_ORIGIN_ALLOW_ALL = True`
Myzel394 opened this issue · comments
- Added
django-cors-headers
and followed docs - GETting, POSTing and PUTting works fine
- POSTing files do not work!
Here are my setting
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
ALLOWED_HOSTS = ["*"]
When I now try to upload files (Content-Type = multipart/form-data
), I get the following error:
Firefox:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:3000/api/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Chrome:
Access to XMLHttpRequest at 'http://127.0.0.1:8000/api/' from origin 'http://127.0.0.1:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I checked it and indeed, the Access-Control-Allow-Origin'
header is missing. I configured everything according to docs, so I think this must be an issue. Please let me know if you know a solution to this.
Closing due to age. There's not enough information here to determine the bug, but it's probably a CSRF issue. The blocked response should be read in network tools to check.
@Myzel394 did you ever solve this? I am having this issue as well
@JMIdeaMaker I found a workaround for my case. I started chrome without security features. This way everything suddenly worked without any cors pain.
But keep in mind, that if you are using multiple domains, you still have to find a solution for this. This here will only work in development and in production when your frontend and backend is on the same domain.
EDIT
Here's the command:
google-chrome --user-data-dir="chrome_dev_session" --disable-web-security
Never EVER use Chrome with --disable-web-security
, or advise others to do so.
I'm also having this issue