1

I have a very strange problem with Django's corsheaders. I have tried all sorts of permutations and combinations by playing with all the possible settings but of no use.

My current settings look like this:

ALLOWED_HOSTS = ['*']

CORS_ALLOWED_ORIGINS = ['*']
CORS_ALLOW_ALL_ORIGINS = True

This is still causing the following error when the frontend sends an API request:

has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I am not sure what else needs to be added, please let me know if I am missing anything here.

I have already added 'corsheaders' in INSTALLED_APPS and also 'corsheaders.middleware.CorsMiddleware'in the MIDDLEWARE list (on top)

I have tried adding domains one by one in the lists and verified by loading the changes, but still nothing worked. Even though I have now allowed for any origin and any host to send cross-origin requests, it is still throwing the CORS error.

NithishB
  • 11
  • 1
  • 3
  • Does your client code add headers to the problematic request? If so, you may have to explicitly allow them in your CORS config. – jub0bs Dec 22 '22 at 12:43
  • 1
    No this is a simple GET request and no headers are added from client side, not even 'Content-Type' as it is not required for GET – NithishB Dec 22 '22 at 14:54
  • I had a cursory look at the source code of Django's corsheaders. Try again after removing `CORS_ALLOWED_ORIGINS = ['*']` but do keep `CORS_ALLOW_ALL_ORIGINS = True`. – jub0bs Dec 22 '22 at 15:09
  • 1
    Tried this, it is working fine when running in default Django server. But this is still throwing CORS errors when run in Apache webserver. Looks like some issue with apache. Thank you! – NithishB Dec 22 '22 at 17:03
  • I have the same issue. i set: CORS_ALLOW_HEADERS =['*'] " ALLOWED_HOST = ['*'] does not work. I set allow all origins to True as well. no deference. – zaman Jul 26 '23 at 17:49

1 Answers1

1

If you use credentials, you aren't allowed to use * (CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true).

Set specific urls.

emielvd95
  • 11
  • 4
  • I've tried setting specific URLs, it was still throwing the same error. Also, I am not using any credentials or cookie-based stuff in the requests/responses – NithishB Dec 22 '22 at 11:50
  • You also tried specific urls (http and http?) in CORS_ALLOWED_ORIGINS and left the wildcard in the ALLOWED_HOSTS? – emielvd95 Dec 22 '22 at 12:31
  • Yes I tried both combinations, added all possible http, https URLs and left the other one wildcard. Strangely this issue seems to disappear when I run the server manually using python manage.py runserver 0.0.0.0:8000. It may be an Apache webserver issue, but not sure how to tackle this. Thanks for your comment – NithishB Dec 22 '22 at 12:33
  • Perhaps one last try: https://stackoverflow.com/questions/67327660/cors-not-working-in-django-but-settings-seem-correct (second answer). Good luck! – emielvd95 Dec 22 '22 at 12:43