The static files of my Django admin site are on a S3 bucket (DigitalOcean Spaces actually) and in the Console I get a ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200
In the network panel all the static files are considered 3rd party and blocked for this reason (not same origin)
The response to any one of these files contains a not set cross-origin-resource-policy error which says:
To use this resource from a different origin, the server needs to specify a cross-origin resource policy in the response headers.
What I tried :
- Following the error message, I tried to set a response header on the ressources, something like
Cross-Origin-Resource-Policy: cross-origin. But in a DigitalOcean Spaces I cannot set headers other thanContent-Type,Cache-Control,Content-Encoding,Content-Dispositionand customx-amz-meta-headers. - I tried to extend the Django admin/base.html template, duplicate a few
linktags and manually set acrossoriginattribute to them. This way the resources are queried twice, one query is blocked as before and the other one is working. The only difference in the headers is that theOriginis set. Is there a way to tell Django to add acrossoriginattribute to alllinkandscriptandimgtags of the Django admin templates ? - I tried to remove the
Cross-Origin-Opener-PolicyandCross-Origin-Embeder-Policyheaders on the ingress loadbalancer, which I guess cause the blocking, by setting them tounsafe-none. Even though I think it should work with the policy, the change had no effect on the problem which I don't understand.
What I didn't try:
- I found this tutorial explaining how to set custom headers on S3 Responses. The idea is to have a Lambda function in front modifying a
x-amz-header to a standard header. Not sure I can easily replicate this with DigitalOcean Functions.
My workaround:
- The ugly hack is to duplicate all Django admin templates and manually add a
crossoriginattribute where needed.
I don't know where this comes from, a few weeks ago it was all good. Any help appreciated.
