Problem with HTTPS/SSL, CSRF_TRUSTED_ORIGINS not working.
See original GitHub issueSo I hit an issue while porting my site to use HTTPS.
Everything worked fine with HTTP but after switching to HTTPS I kept getting
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The workaround was to set CORS_ORIGIN_ALLOW_ALL to True, which I am not that happy with.
The peculiar thing was the error popped up only on the URL’s/resources when Django was trying to set some Sessions(like logging in etc.) So maybe there is a conflict in how CORS behaves on these resources on browsers?
Issue Analytics
- State:
- Created 6 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Forbidden (403) CSRF verification failed. Request aborted ...
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used...
Read more >[BUG] Login fails due to CSRF issue - (Origin checking failed
After setting up PAPERLESS_URL login is failing with "CSRF ... issue - (Origin checking failed - null does not match any trusted origins.) ......
Read more >403 Forbidden, CSRF verification failed. Referer checking ...
I get this error only when i use Chrome, not in IE or Firefox or Opera (this is based on Chrome) Forbidden (403)...
Read more >Forbidden (403) CSRF verification failed. Request aborted.
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used...
Read more >Get 403 Forbidden Error, when i use a post method
Hey I get this error, when i use a post method for register page. The Error: Forbidden (403) CSRF verification failed. Request canceled....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I think I ran into the same or a similar issue. I was trying to add my front-end to
CORS_ORIGIN_WHITELIST
and it just wasn’t working; the request always failed with the “Response to preflight request doesn’t pass access control check…” error that @parth-choudhary was getting. My front-end is only accessible via HTTPS.I tried
CORS_ORIGIN_WHITELIST = ['app.mysite.com']
, andCORS_ORIGIN_WHITELIST = ['app.mysite.com', 'https://app.mysite.com']
, and neither of these worked.However,
CORS_ORIGIN_WHITELIST = ['https://app.mysite.com', 'app.mysite.com']
does seem to be working correctly. So it seems like it’s necessary to include the HTTPS version of the origin, and it also must be included before the non-HTTPS version.It isn’t being cached outside of the python process, and if you’re restarting that fine it should be working. Maybe something changed outside of Djangoland e.g. in gunicorn/nginx config?