Reputation: 225
I am trying to implement cors support for my django server.
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'userdetails.middleware.crossdomainxhr.XsSharing',
)
XS_SHARING_ALLOWED_CREDENTIALS = 'True'
XS_SHARING_ALLOWED_ORIGINS = '*'
XS_SHARING_ALLOWED_METHODS = ['POST','GET','OPTIONS', 'PUT', 'DELETE']
userdetails.middleware.crossdomainxhr.XsSharing' is exactly the code in https://gist.github.com/strogonoff/1369619
When I call this using an ajax script in Chrome, I get the error:
Origin HTTP 'http://localhost:8002'
(where my local web server is) is not allowed by Access Control Allowed Origin
Any idea what might I be doing wrong here?
The ajax script is here:
<html lang="en">
<head>
<meta charset="utf-8" />
<script src="http://code.jquery.com/jquery-1.10.1.min.js"></script>
<script>
$(document).ready(function () {
var url = 'http://xx.xxx.x.xxx/api/user/register/';
alert("going to make call, see the request/response in browser debuger/inspector");
$.ajax({
type: "POST",
contentType: "application/json",
dataType: "application/json",
url: url,
data: JSON.stringify({
'firstName': 'Corsnew',
'lastName': 'Corsnew',
'email': '[email protected]',
'password': 'cors',
}),
processData: false,
//contentType: "application/json; charset=utf-8",
// accept: 'text/plan',
origin: 'localhost',
complete: function (data) {
console.dir(data);
}
});
});
</script>
<title></title>
</head>
<body>
</body>
</html>
Response on chrome is :
HTTP/1.1 200 OK
Date: Tue, 06 Aug 2013 07:33:09 GMT
Server: Apache/2.2.20 (Ubuntu)
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE
Access-Control-Allow-Headers: Content-Type,*
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Upvotes: 2
Views: 6770
Reputation: 42
These two headers are conflicting:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Wildcards are not accepted and you will need to specify an origin for credentials to be sent. Your server can just echo the incoming request's origin.
(https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials)
Upvotes: 2