Axios blocked by CORS policy with Django REST Framework: 'Access-Control-Allow-Origin' header in the response must not be wildcard
[英]Axios blocked by CORS policy with Django REST Framework: 'Access-Control-Allow-Origin' header in the response must not be wildcard
问题描述
Using vuejs3 ans axios, I'm trying to make a API call out to a django project, and getting a CORS error on the chrome side. 
Using vuejs3 ans axios, I'm trying to make a API call out to a django project, and getting a CORS error on the chrome side. Not sure what setting I'm missing here...不知道我在这里缺少什么设置...
The preflight OPTIONS response returned is ok, but chrome is upset that the 'Access-Control-Allow-Origin' header is "*".返回的预检 OPTIONS 响应正常,但 chrome 对'Access-Control-Allow-Origin' header 为“*”感到不安。
I'm using django-rest-framework with django-cors-headers .我正在使用 django-rest-framework 和django-cors-headers 。
django.settings: django.settings:
ALLOWED_HOSTS = ["*"]
# CORS
CORS_ALLOW_ALL_ORIGINS = False # was initially True
CORS_ALLOW_HEADERS = "*"
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOWED_ORIGINS = ["https://mydomain", "http://localhost:8080", "http://127.0.0.1:8080"]
# Application definition
INSTALLED_APPS = [
"django.contrib.auth",
"django.contrib.contenttypes",
"django.contrib.sessions",
"django.contrib.messages",
"django.contrib.staticfiles",
"corsheaders",
...
]
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.locale.LocaleMiddleware",
"corsheaders.middleware.CorsMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
...
]
vuejs/axios side: vuejs/axios 方面:
axios.defaults.xsrfHeaderName = 'X-CSRFToken';
axios.defaults.xsrfCookieName = 'csrftoken';
axios.defaults.withCredentials = true;
const url = `https://mydomin/my/endpoint/`;
response = axios.get(url);
I thought setting CORS_ALLOW_ALL_ORIGINS to False and defining CORS_ALLOWED_ORIGINS values would resolve the issue, but the Access-Control-Allow-Origin header is still showing as "*".我认为将CORS_ALLOW_ALL_ORIGINS设置为False并定义CORS_ALLOWED_ORIGINS值可以解决问题,但Access-Control-Allow-Origin header 仍显示为“*”。
Am I missing a setting?我错过了一个设置吗?
Here's the Options header result:这是选项 header 结果:
4 个解决方案
解决方案1
1 2022-08-02 05:47:11
Try CORS_ALLOW_HEADERS as list like this尝试 CORS_ALLOW_HEADERS 作为这样的列表
CORS_ALLOW_HEADERS = [
"accept",
"accept-encoding",
"authorization",
"content-type",
"dnt",
"origin",
"user-agent",
"x-csrftoken",
"x-requested-with",
] ]
解决方案2
1 2022-08-02 05:58:12
Change CORS_ALLOW_HEADERS to this. CORS_ALLOW_HEADERS更改为此。 I tried it and worked我试过了,工作了
CORS_ALLOW_HEADERS = [
"accept",
"accept-encoding",
"authorization",
"content-type",
"content-disposition",
"dnt",
"origin",
"user-agent",
"x-csrftoken",
"x-requested-with",
]
解决方案3
1 2022-08-02 07:34:28
Maybe other middleware is preventing the CORS middleware to set the header.也许其他中间件阻止 CORS 中间件设置 header。 The documentation states:该文档指出:
CorsMiddleware should be placed as high as possible, especially before any middleware that can generate responses such as Django's CommonMiddleware or Whitenoise's WhiteNoiseMiddleware.
So try to change the order of the middleware, like:所以尝试改变中间件的顺序,比如:
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.security.SecurityMiddleware',
...
]
解决方案4
0 2022-08-02 04:57:19
What is in your headers of your http requests?您的 http 请求的标头中有什么? It may help to include ""Access-Control-Allow-Origin": "*"," if it's not there already.如果它还没有的话,它可能有助于包含“”Access-Control-Allow-Origin”:“*”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.