Django 3.1: CORS headers not set on error responses?
See original GitHub issueHello, I’m not sure if there’s something I’m misunderstanding, but from my experiments, it seems like django-cors-headers
is not setting CORS headers on HTTP 4XX error responses, when used with Django 3.1. I know there’s been some changes to the way middleware are handled over the years. Is it possible that django-cors-headers
needs to be updated to be fully compatible with newer versions?
As an experiment, I added a process_exception()
method to CorsMiddleware
, like this:
def process_exception(self, request, exception):
return self.process_response(request, exception)
And that seems to have resolved my issue. Is this a sensible way to proceed? If so, I’m happy to put together a formal pull request.
Thanks for a useful library!
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:6 (1 by maintainers)
Top Results From Across the Web
django-cors-headers - PyPI
A Django App that adds Cross-Origin Resource Sharing (CORS) headers to responses. This allows in-browser requests to your Django application from other ...
Read more >django-cors-headers not work - Stack Overflow
I tried installing django-cors-headers to fix the error I was getting when running my django app with production settings.
Read more >Clickjacking Protection - Django documentation
The X-Frame-Options HTTP header will only be set by the middleware or view decorators if it is not already present in the response....
Read more >How to Fix Django CORS Error - DZone Web Dev
One of the common errors we get each time when we consume Django API is CORS error. The error might say something like:...
Read more >Adding CORS support to an API proxy | Apigee Edge
Note that there is no TargetEndpoint specified. If the OPTIONS request is received and the Origin and Access-Control-Request-Method request headers are not null ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
In our case, yes, I think we definitely want CORS headers set on error responses. We’re using graphene-django to build a GraphQL API. If the client sends us a malformed query, we want to be able to return a sensible error without the browser tripping over CORS restrictions.
I can’t say this is universal, but I would guess most people building APIs in Django and setting CORS headers would also want those headers on their error responses. Do you think it’s correct to treat
process_exception()
andprocess_response()
equivalently? The only thing that gives me pause is returning an HTTP response fromprocess_exception()
will short-circuit other middleware executions. But the CORS middleware needs to be near the outside of the middleware stack anyway, right?Hi @marcosalcazar yes, we just subclassed
CorsMiddleware
and added theprocess_exception()
method as above. We haven’t run into any problems that I’m aware of, but it does feel a little bit hacky. I’d like to see a proper upstream fix for this issue.