-
Notifications
You must be signed in to change notification settings - Fork 535
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit CORS on internal API and allow cookies #2527
Conversation
This actually needs to support the internal search view, will update. |
It seems like this should actually be a middleware instead. Unless there's something I'm missing it looks like corsheaders only supports one configuration. So I guess I'll need to write a very similar middleware or update that to support multiple configurations (this sounds like more work than I was expecting). Perhaps there's something in django-rest-framework that I can hook into instead? Any ideas @EnTeQuAk? |
hmm, there is nothing specific to django-rest-framework and you're right Given the way The best way still would probably be to write a custom django-rest-framework renderer that patches in our custom headers… something like from rest_framework.renderers import JSONRenderer
from corsheaders.middleware import ACCESS_CONTROL_ALLOW_HEADERS
class InternalJSONRenderer(JSONRenderer):
def render(self, data, accepted_media_type=None, renderer_context=None):
render_context = render_context or {}
response = render_context.get('response', None)
if not response:
return super(InternalJSONRenderer, self).render(data, accepted_media_type, renderer_context)
response[ACCESS_CONTROL_ALLOW_HEADERS] = '....'
return super(InternalJSONRenderer, self).render(data, accepted_media_type, renderer_context) (untested code, this is how I think it could work) And then still make sure that |
Alternate approach based on @EnTeQuAk idea, but without using a custom renderer:
Although I don't know if either approach would still work with preflight stuff, or if we need to |
@EnTeQuAk @diox I added some settings to this and updated django-cors-headers at mstriemer/django-cors-headers#1. I thought I'd give updating django-cors-headers a try as to avoid two different CORS implementations. Let me know how it looks, I'm open to changing things. |
I added some comments on the pr for lgtm |
Fixes mozilla/addons#3026.