Not working on staticfiles
newearthmartin opened this issue · comments
Understanding CORS
- I have read the resources.
Python Version
3.10
Django Version
3.2.9
Package Version
No response
Description
I've been succesfully using CORS_ORIGIN_ALLOW_ALL = True
with my views and I have been able to serve django views to other domains, no problem.
Now, I replaced a call to view to just getting a static file, and this is failing with a CORS error.
I moved corsheaders
to the top of INSTALLED_APPS
and MIDDLEWARE
and still I'm getting the same error, staticfiles
still remains impervious to corsheaders
.
This is a problem only in development, because in production I'm not using django to serve static files. Nevertheless this is still a problem because it disrupts development.
I believe the issue here is that staticfiles
uses a custom runserver
that serves files directly at the WSGI handler layer: https://github.com/django/django/blob/main/django/contrib/staticfiles/management/commands/runserver.py . This is before middleware.
If you use whitenoise, this deliberately disables the WSGI handler behaviour of runserver
, so that would work.
Whitenoise is also great for use in production.
I don't think there's really anything sensible we can do in django-cors-headers. This issue affects all middleware that add headers, including django's built-in security middleware.
Thanks for the great explanation! Maybe you guys can add a mention about this in the docs.
@adamchainz Do you think this qualifies as an issue/missing feature in Django? Should staticfiles
work in the same way as Django views regarding CORS? or is there a technical reason why this is happening?