Resolve "CORS headers for public landing pages"
I chose django-cors-headers
to implement this. In the future we can implement signal handlers to allow CORS only on landing pages; for now the settings are global.
This is a bit difficult to test. I ran the Django development server on my HZDR-intenal IP 149.220.XXX.YYY
and a normal webserver on my hostname fwcXXX
. Then I visited the default page on http://fwcXXX
and from the console did a request:
var http_request = new XMLHttpRequest();
http_request.open("GET", "http://149.220.XXX.YYY:8000/object/127/");
http_request.setRequestHeader("Content-Type", "application/json");
http_request.setRequestHeader("Accept", "text/html");
http_request.send();
This sends a CORS preflight OPTIONS request, receives a response with HTTP/200, sees that the Access-Control-Allow-Origin
header is not set and fails.
After adding the domain http://fwcXXX
to the CORS list in the .env
file and restarting the dev server, we can try again. This time the preflight request succeeds again and also contains http://fwcXXX
in the header, and the browser proceeds to send a GET request successfully.
Closes #722 (closed)