Resolve "CORS headers for public landing pages" (!494) · Merge requests · heliport / HELIPORT

David Pape requested to merge 722-cors-headers-for-public-landing-pages into master Jul 25, 2023

I chose django-cors-headers to implement this. In the future we can implement signal handlers to allow CORS only on landing pages; for now the settings are global.

This is a bit difficult to test. I ran the Django development server on my HZDR-intenal IP 149.220.XXX.YYY and a normal webserver on my hostname fwcXXX. Then I visited the default page on http://fwcXXX and from the console did a request:

var http_request = new XMLHttpRequest();
http_request.open("GET", "http://149.220.XXX.YYY:8000/object/127/");
http_request.setRequestHeader("Content-Type", "application/json");
http_request.setRequestHeader("Accept", "text/html");
http_request.send();

This sends a CORS preflight OPTIONS request, receives a response with HTTP/200, sees that the Access-Control-Allow-Origin header is not set and fails.

After adding the domain http://fwcXXX to the CORS list in the .env file and restarting the dev server, we can try again. This time the preflight request succeeds again and also contains http://fwcXXX in the header, and the browser proceeds to send a GET request successfully.

Closes #722 (closed)

Edited Aug 02, 2023 by David Pape

Resolve "CORS headers for public landing pages"

Merge request reports