Cross Domain ajax OPTIONS error 403 (Django) -

i'm developing site aaa.com django, sends cross-domain ajax "get" requests receive json data bbb.com running on django , using rest framework. @ point works pretty fine adding crossdomain: true; withcredentials:true. , of course configurated on server-side of aaa.com.
...-allow-credentials: true; ...-allow-origin: bbb.com

the main issue comes when aaa.com trying make put post delete ajax requests. according cors documentation: [https://www.w3.org/tr/cors/#cross-origin-request-with-preflight-0], client side ajax request correct, and
...-allow-headers, ...-allow-methods
matched with
...-request-headers, ...-request-methods

so request not 'simple' , first of browser sends preflight request aaa.com bbb.com ask if custom headers , methods allowed.

everything ok i'm still getting 403 error. here request/response:

general: request url:http://bbb.com/api/someapipage/ request method:options status code:403 forbidden remote address:some ip:80  response headers: access-control-allow-credentials:true access-control-allow-headers:accept, content-type, x-csrftoken, x-requested-with access-control-allow-methods:get, post, options, head, put, delete access-control-allow-origin:http://aaa.com allow:get, post, head, options connection:keep-alive content-language:en content-type:application/json date:mon, 04 jul 2016 14:20:38 gmt keep-alive:timeout=5, max=100 server:gunicorn/19.6.0 transfer-encoding:chunked vary:accept,accept-language,cookie x-frame-options:sameorigin  request headers: accept:*/* accept-encoding:gzip, deflate, sdch accept-language:en-us,en;q=0.8,ru;q=0.6 access-control-request-headers:accept, content-type, x-csrftoken access-control-request-method:post connection:keep-alive host:aaa.com origin:http://aaa.com referer:http://aaa.com/ user-agent:mozilla/5.0 (windows nt 10.0; wow64) applewebkit/537.36 (khtml, gecko) chrome/49.0.2623.87 safari/537.36 

after week of tries fix issue realised server wants vary: cookie on pre-flighted request impossible because cross-domain pre-flight request cannot contain cookie in header.

i started finding solution issue , found: https://code.djangoproject.com/ticket/13217

"enabling django.middleware.locale.localemiddleware causes django adds 'vary: cookie' header every reponse." localmiddleware adds header vary: cookie in pre-flight options response

there lots of reccomendations use djang-cors-header fix of problems. using package function equal settings on server-side.

i have found pretty package: django-dont-vary-on if installed can set decorators turn off vary:cookie, in case need turn off vary:cookie in options response.

im bit new django , cannot imagine in situation. every step walking on mine field. there solution or alternatives?

you have cors whitelist client access server.

in case cross-domain request, request becomes preflighted if use methods other get, head or post.

also, if post used send request data content-type other application/x-www-form-urlencoded, multipart/form-data, or text/plain, becomes preflighted.

its server allows cross-domain client request processed or deny (default).

so if have access server-side application, following response.

on server-side

install django-cors-headers on server side , white list client domain or ip (it port specific)

pip install django-cors-headers 

in settings.py, add in installed_apps

installed_apps = ( ...     'corsheaders', ... ) 

add corsheaders.middleware.corsmiddleware in middleware_classes

middleware_classes = (     'django.middleware.csrf.csrfviewmiddleware',     'django.contrib.sessions.middleware.sessionmiddleware',     '**corsheaders.middleware.corsmiddleware**',     'django.middleware.common.commonmiddleware', .... ) 

and define cors whitelist

cors_origin_whitelist = (     'aaa.com', ) 

now have added client in cors whitelist, able make successful ajax request.