Middlware to allow's your django server to respond appropriately to cross domain XHR (postMessage html5 API).

django-crossdomainxhr-middleware.py

import re

from django.utils.text import compress_string
from django.utils.cache import patch_vary_headers

from django import http

try:
    import settings 
    XS_SHARING_ALLOWED_ORIGINS = settings.XS_SHARING_ALLOWED_ORIGINS
    XS_SHARING_ALLOWED_METHODS = settings.XS_SHARING_ALLOWED_METHODS
except:
    XS_SHARING_ALLOWED_ORIGINS = '*'
    XS_SHARING_ALLOWED_METHODS = ['POST','GET','OPTIONS', 'PUT', 'DELETE']


class XsSharing(object):
    """
        This middleware allows cross-domain XHR using the html5 postMessage API.
         

        Access-Control-Allow-Origin: http://foo.example
        Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
    """
    def process_request(self, request):

        if 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' in request.META:
            response = http.HttpResponse()
            response['Access-Control-Allow-Origin']  = XS_SHARING_ALLOWED_ORIGINS 
            response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS ) 
            
            return response

        return None

    def process_response(self, request, response):
        # Avoid unnecessary work
        if response.has_header('Access-Control-Allow-Origin'):
            return response

        response['Access-Control-Allow-Origin']  = XS_SHARING_ALLOWED_ORIGINS 
        response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )

        return response

Thanks. This helped a lot.

This is great, thanks!

awesome, thanks a lot!

Very nice, thank you! If I must say something constructive, I would name the class to XsSharingMiddleware. Middleware-postfix seems to be the convention amongst Django middlewares. For example: 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware'. And what does Xs mean? Anyway, thanks for the gist, I will put it to good use :)

Thanks @doph. I will rewrite, but anyway, i'm not working with django anymore for a long time, so if you want to fork and maintain this snippet updated with django, i will appreciate a lot!

The "xs" suffix was just a "gotcha" with XSS. I could name it XssSharing , but i prefer to let the last 's' mixed with sharing. You can rename as you like.

@doph @frangossauro i've been using this awesome gist and customized it a bit to support allowed headers, which i needed to make CORS work for my project. you can see my fork here: https://gist.github.com/2941258

made my day. thanks alot

Thanks

Thanks for this! :)

Thanks, that's really helpful.

Quick question: What changes should I make in order to allow certain urls of my site to be "open" for cors?

I'm trying to get this going but still get this error when I load my site

XMLHttpRequest cannot load http://localhost:8080/geoserver/wfs. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.

My settings.py file
XS_SHARING_ALLOWED_ORIGINS = 'http://localhost:8080, http://127.0.0.1:8000/'
XS_SHARING_ALLOWED_METHODS = "POST, GET, OPTIONS, PUT, DELETE"

Any help would be greatly appreciated!

@Mbrownshoes multiple origins are not allowed. I changed XS_SHARING_ALLOWED_ORIGINS into a list and add the following code to the middleware:

        if 'HTTP_ORIGIN' in request.META:
            for origin in settings.XS_SHARING_ALLOWED_ORIGINS:
                if origin == request.META['HTTP_ORIGIN']:
                    response['Access-Control-Allow-Origin'] = origin
                    break

It looks into the list and add the allowed-origin header only for the current origin if it is in the list.

Wonderful, thank you.

@ozen work for me , thanks !