Not working on staticfiles

Question

Not working on staticfiles

newearthmartin opened this issue 2 years ago · comments

Martin Massera commented 2 years ago

Understanding CORS

I have read the resources.

Python Version

3.10

Django Version

3.2.9

Package Version

No response

Description

I've been succesfully using CORS_ORIGIN_ALLOW_ALL = True with my views and I have been able to serve django views to other domains, no problem.

Now, I replaced a call to view to just getting a static file, and this is failing with a CORS error.

I moved corsheaders to the top of INSTALLED_APPS and MIDDLEWARE and still I'm getting the same error, staticfiles still remains impervious to corsheaders.

This is a problem only in development, because in production I'm not using django to serve static files. Nevertheless this is still a problem because it disrupts development.

Adam Johnson · Answer 1 · Thu May 12 2022 01:43:34 GMT+0800 (China Standard Time)

I believe the issue here is that staticfiles uses a custom runserver that serves files directly at the WSGI handler layer: https://github.com/django/django/blob/main/django/contrib/staticfiles/management/commands/runserver.py . This is before middleware.

If you use whitenoise, this deliberately disables the WSGI handler behaviour of runserver, so that would work.

Whitenoise is also great for use in production.

I don't think there's really anything sensible we can do in django-cors-headers. This issue affects all middleware that add headers, including django's built-in security middleware.

Martin Massera · Answer 2 · Thu May 12 2022 09:22:24 GMT+0800 (China Standard Time)

Thanks for the great explanation! Maybe you guys can add a mention about this in the docs.

Martin Massera · Answer 3 · Thu May 12 2022 09:39:38 GMT+0800 (China Standard Time)

@adamchainz Do you think this qualifies as an issue/missing feature in Django? Should staticfiles work in the same way as Django views regarding CORS? or is there a technical reason why this is happening?