How to solve the CORS error in Socket.IO Django framework using Python 2.7

Question

We are using AngularJS and Django frontend and backend respectively. We are facing CORS error as we added corsheaders in installed_app and also added middlewares still we are facing the same problem

We are using AngularJS v1.6.3, Django 1.10.11 and Python 2.7.

Angular Controller:

var socket = io.connect('http://192.168.13.129:8000/');

socket.on('connect', function (data) { 
    console.log('connected') 
})

in django settings.py

INSTALLED_APPS = (
    'corsheaders',
)



MIDDLEWARE = [ 
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
]

CORS_ORIGIN_ALLOW_ALL=True

The expected result is Socket.IO CORS request to be done successfully, but we are getting following error:

Access to XMLHttpRequest at 'http://192.168.13.129:8000/socket.io/?EIO=3&transport=polling&t=MncX14t' from origin 'http://192.168.13.148:8082' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Answer 1

The quick and dirty solution that a lot of people go to with CORS is to disable it by allowing all origins. But this opens the doors to vulnerabilities such as CSRF attacks against your users.

In your case, what I recommend that you do is that you enable only the origin(s) from where you expect to receive requests. From your example, the correct and secure Socket.IO configuration you'd want to use is this:

sio = socketio.Server(cors_allowed_origins="http://192.168.13.148:8082")

And if you have additional origins, just make the above argument a list and add all your origins there. A * is okay for internal tests, but not a good idea for a production site unless you really know what you are doing.