Remove custom CORS logic #9945
Remove custom CORS logic #9945
Conversation
| # We don't need or want to allow cross site requests in proxito. | ||
| CORS_URLS_ALLOW_ALL_REGEX = [] |
There was a problem hiding this comment.
removing the middleware should be enough, but just in case if we added it here we don't want to inherit the endpoints from the dashboard.
There was a problem hiding this comment.
Sorry to have to post a comment in a merged PR. I'm trying to understand what the security hardening was about to write a sentence or two in the newsletter. Which landed me here.
And that had me wondering that I cannot find CORS_URLS_ALLOW_ALL_REGEX in the documentation of django-cors-headers: https://pypi.org/project/django-cors-headers/
But I was looking at the wrong project.
We seem to be using this one: https://pypi.org/project/django-cors-headers/ - which hasn't been updated for 4 years and has 135 stars. django-cors-headers is cruising at over 4800 stars :)
It looks like it's been previously "saved by the bell" so to speak: #4694 - but maybe this is a good "tech debt" roadmap candidate.
oh yeah and that configuration setting is:
Specify a list of URL regex for which to allow all origins
So I guess that in all other cases, we are setting CORS headers to deny. I'll probably be asking how it works and what we changed :)
There was a problem hiding this comment.
Yes, we are using the forked version, but we should be able to migrate to the new version, see #8713, we just need to be careful making sure the settings from the fork match the settings from the new package.
I'll probably be asking how it works and what we changed :)
Before we were allowing cross site requests allowing credentials to be passed, now we are allowing cross site requests as before, but we don't allow credentials to be passed (cookies).
Co-authored-by: Eric Holscher <[email protected]>
We don't need this logic anymore, we don't allow passing cookies, so just checking the list of allowed URLs is enough.