Cross Domain ajax OPTIONS error 403 (Django) -

-

i'm developing site aaa.com django, sends cross-domain ajax "get" requests receive json data bbb.com running on django , using rest framework. @ point works pretty fine adding crossdomain: true; withcredentials:true. , of course configurated on server-side of aaa.com.
...-allow-credentials: true; ...-allow-origin: bbb.com

the main issue comes when aaa.com trying make put post delete ajax requests. according cors documentation: [https://www.w3.org/tr/cors/#cross-origin-request-with-preflight-0], client side ajax request correct, and
...-allow-headers, ...-allow-methods
matched with
...-request-headers, ...-request-methods

so request not 'simple' , first of browser sends preflight request aaa.com bbb.com ask if custom headers , methods allowed.

everything ok i'm still getting 403 error. here request/response:

general: request url:http://bbb.com/api/someapipage/ request method:options status code:403 forbidden remote address:some ip:80  response headers: access-control-allow-credentials:true access-control-allow-headers:accept, content-type, x-csrftoken, x-requested-with access-control-allow-methods:get, post, options, head, put, delete access-control-allow-origin:http://aaa.com allow:get, post, head, options connection:keep-alive content-language:en content-type:application/json date:mon, 04 jul 2016 14:20:38 gmt keep-alive:timeout=5, max=100 server:gunicorn/19.6.0 transfer-encoding:chunked vary:accept,accept-language,cookie x-frame-options:sameorigin  request headers: accept:*/* accept-encoding:gzip, deflate, sdch accept-language:en-us,en;q=0.8,ru;q=0.6 access-control-request-headers:accept, content-type, x-csrftoken access-control-request-method:post connection:keep-alive host:aaa.com origin:http://aaa.com referer:http://aaa.com/ user-agent:mozilla/5.0 (windows nt 10.0; wow64) applewebkit/537.36 (khtml, gecko) chrome/49.0.2623.87 safari/537.36

after week of tries fix issue realised server wants vary: cookie on pre-flighted request impossible because cross-domain pre-flight request cannot contain cookie in header.

i started finding solution issue , found: https://code.djangoproject.com/ticket/13217

"enabling django.middleware.locale.localemiddleware causes django adds 'vary: cookie' header every reponse." localmiddleware adds header vary: cookie in pre-flight options response

there lots of reccomendations use djang-cors-header fix of problems. using package function equal settings on server-side.

i have found pretty package: django-dont-vary-on if installed can set decorators turn off vary:cookie, in case need turn off vary:cookie in options response.

im bit new django , cannot imagine in situation. every step walking on mine field. there solution or alternatives?

you have cors whitelist client access server.

in case cross-domain request, request becomes preflighted if use methods other get, head or post.

also, if post used send request data content-type other application/x-www-form-urlencoded, multipart/form-data, or text/plain, becomes preflighted.

its server allows cross-domain client request processed or deny (default).

so if have access server-side application, following response.

on server-side

install django-cors-headers on server side , white list client domain or ip (it port specific)

pip install django-cors-headers

in settings.py, add in installed_apps 

installed_apps = ( ...     'corsheaders', ... )

add corsheaders.middleware.corsmiddleware in middleware_classes

middleware_classes = (     'django.middleware.csrf.csrfviewmiddleware',     'django.contrib.sessions.middleware.sessionmiddleware',     '**corsheaders.middleware.corsmiddleware**',     'django.middleware.common.commonmiddleware', .... )

and define cors whitelist

cors_origin_whitelist = (     'aaa.com', )

now have added client in cors whitelist, able make successful ajax request.


Comments

Post a Comment

Popular posts from this blog

java - Static nested class instance -

-
this question has answer here: java inner class , static nested class 23 answers i came across in java, know static nested class why create instance of 'static'. isn't whole idea of 'static' use without instance? understand concept of inner classes, why (and frankly how possible to) create 'instance' of 'static' member @ ? why this: 1- outerclass.staticnestedclass nestedobject = new outerclass.staticnestedclass(); 2- nestedobject.anestedclassmethod(); and not this: 1- outerclass outerinstance=new outerclass(); 2- outerinstance.staticnestedclass.anestedclassmethod(); use on inner classes, keyword static indicates can access inner class without instance of outer class. for example: public class outer { public static class inner { /* code here. */ } } with construction, can create instance of inn
Read more

c# - Bluetooth LE CanUpdate Characteristic property -

-
i building xamarin.forms cross platform mobile app, uses monkey.robotics bluetoth low energy functionality. connecting mbed based implimentation of custom gatt service . in xamarin c#, triggers characteristic. canupdate property in monkey.robotics? this standard example c# based on: if (characteristic.canupdate) { characteristic.valueupdated += (s, e) => { debug.writeline("characteristic.valueupdated"); device.begininvokeonmainthread( () => { updatedisplay(characteristic); }); isbusy = false; // spin until first result received }; isbusy = true; characteristic.startupdates(); } this has been working, since changed own custom gatt service connecting to, canupdate property false. property , how triggered? me debugging gatt service code. thanks monkey.robotics open sour
Read more

JavaScript - Replace variable from string in all occurrences -

-
ok, know if have character '-' , want remove in places in string javascript, ... someword = someword.replace(/-/g, ''); but, when applying array of characters, s not working ... const badchars = ('\/:*?"<>|').split(''); let filename = title.replace(/ /g, '-').tolocalelowercase(); (let item = 0; item < badchars.length; item++) { // below not work global '/ /g' filename = filename.replace(/badchars[item]/g, ''); } any ideas? /badchars[item]/g looks badchars , literally, followed i , t , e , or m . if you're trying use character badchars[item] , you'll need use regexp constructor, , you'll need escape regex-specific characters. escaping regular expression has been well-covered . using that: filename = filename.replace(new regexp(regexp.quote(badchars[item]), 'g'), ''); but , don't want that. want character class: let filename = title.replac
Read more