Skip to content

Instantly share code, notes, and snippets.

@strogonoff
Created November 16, 2011 08:56
Show Gist options
  • Save strogonoff/1369619 to your computer and use it in GitHub Desktop.
Save strogonoff/1369619 to your computer and use it in GitHub Desktop.
Django middleware for cross-domain XHR. WARNING: Defaults are unsafe here. Make sure to set proper restrictions in production!
from django import http
try:
from django.conf import settings
XS_SHARING_ALLOWED_ORIGINS = settings.XS_SHARING_ALLOWED_ORIGINS
XS_SHARING_ALLOWED_METHODS = settings.XS_SHARING_ALLOWED_METHODS
XS_SHARING_ALLOWED_HEADERS = settings.XS_SHARING_ALLOWED_HEADERS
XS_SHARING_ALLOWED_CREDENTIALS = settings.XS_SHARING_ALLOWED_CREDENTIALS
except AttributeError:
XS_SHARING_ALLOWED_ORIGINS = '*'
XS_SHARING_ALLOWED_METHODS = ['POST', 'GET', 'OPTIONS', 'PUT', 'DELETE']
XS_SHARING_ALLOWED_HEADERS = ['Content-Type', '*']
XS_SHARING_ALLOWED_CREDENTIALS = 'true'
class XsSharing(object):
"""
This middleware allows cross-domain XHR using the html5 postMessage API.
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Based off https://gist.github.com/426829
"""
def process_request(self, request):
if 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' in request.META:
response = http.HttpResponse()
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
response['Access-Control-Allow-Headers'] = ",".join( XS_SHARING_ALLOWED_HEADERS )
response['Access-Control-Allow-Credentials'] = XS_SHARING_ALLOWED_CREDENTIALS
return response
return None
def process_response(self, request, response):
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
response['Access-Control-Allow-Headers'] = ",".join( XS_SHARING_ALLOWED_HEADERS )
response['Access-Control-Allow-Credentials'] = XS_SHARING_ALLOWED_CREDENTIALS
return response
@timus
Copy link

timus commented May 11, 2012

Where to put this codes?

@jpatel3
Copy link

jpatel3 commented Oct 13, 2012

  1. Make folder called middleware and create a file called crossdomainxhr.py (copy above code under that file)
  2. add init.py file under middleware so django can pickup it as module.
  3. Add .middleware.crossdomainxhr.XsSharing in MIDDLEWARE_CLASSES section

@jpatel3
Copy link

jpatel3 commented Oct 13, 2012

And add below config in settings -

XS_SHARING_ALLOWED_ORIGINS = "http://127.0.0.1:88"
XS_SHARING_ALLOWED_METHODS = ['POST','GET','OPTIONS', 'PUT', 'DELETE']

@adamjgrant
Copy link

  1. Where does this middleware folder go?
  2. What should be in init.py?

@adamjgrant
Copy link

And what is meant by "below config"?

@defulmere
Copy link

Where does this middleware folder go?

Anywhere that it can be picked up on your Python search path.

What should be in init.py?

Nothing. The presence of an empty __init__.py file in a directory is sufficient to allow the directory to be treated as a Python module (and thus allow the middleware to be imported).

And what is meant by "below config"?

Hmm, not too clear on that one, but I suspect that if you put those variables somewhere below MIDDLEWARE_CLASSES in your settings.py, you'll be OK.

@phoebebright
Copy link

This worked for me when I was getting blank response using jquery and tastypie. Thank you so much!

@kdahlhaus
Copy link

I had to add the extra auth headers and then this worked great! Couldn't get the other GIST about CORSResource for Tastypie to work. This is how I configured it:

XS_SHARING_ALLOWED_HEADERS = ['authorization']  # IF START SEEING ERRORS HERE must DUPLICATE ' Access-Control-Request-Headers' from request see https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS

@mesuutt
Copy link

mesuutt commented Jan 10, 2014

There is any special reason you assign variables outside class instead of init of the class ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment