Create a gist now

Instantly share code, notes, and snippets.

Middlware to allow's your django server to respond appropriately to cross domain XHR (postMessage html5 API).
import re
from django.utils.text import compress_string
from django.utils.cache import patch_vary_headers
from django import http
import settings
class XsSharing(object):
This middleware allows cross-domain XHR using the html5 postMessage API.
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
def process_request(self, request):
response = http.HttpResponse()
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
return response
return None
def process_response(self, request, response):
# Avoid unnecessary work
if response.has_header('Access-Control-Allow-Origin'):
return response
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
return response

Thanks. This helped a lot.


This is great, thanks!


awesome, thanks a lot!


Very nice, thank you! If I must say something constructive, I would name the class to XsSharingMiddleware. Middleware-postfix seems to be the convention amongst Django middlewares. For example: 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware'. And what does Xs mean? Anyway, thanks for the gist, I will put it to good use :)


Thanks @doph. I will rewrite, but anyway, i'm not working with django anymore for a long time, so if you want to fork and maintain this snippet updated with django, i will appreciate a lot!

The "xs" suffix was just a "gotcha" with XSS. I could name it XssSharing , but i prefer to let the last 's' mixed with sharing. You can rename as you like.


@doph @frangossauro i've been using this awesome gist and customized it a bit to support allowed headers, which i needed to make CORS work for my project. you can see my fork here:


made my day. thanks alot




Thanks for this! :)


Thanks, that's really helpful.

Quick question: What changes should I make in order to allow certain urls of my site to be "open" for cors?


I'm trying to get this going but still get this error when I load my site

XMLHttpRequest cannot load http://localhost:8080/geoserver/wfs. Origin is not allowed by Access-Control-Allow-Origin.

My file
XS_SHARING_ALLOWED_ORIGINS = 'http://localhost:8080,'

Any help would be greatly appreciated!

ozen commented Jun 20, 2014

@Mbrownshoes multiple origins are not allowed. I changed XS_SHARING_ALLOWED_ORIGINS into a list and add the following code to the middleware:

        if 'HTTP_ORIGIN' in request.META:
            for origin in settings.XS_SHARING_ALLOWED_ORIGINS:
                if origin == request.META['HTTP_ORIGIN']:
                    response['Access-Control-Allow-Origin'] = origin

It looks into the list and add the allowed-origin header only for the current origin if it is in the list.


Wonderful, thank you.

Roryjia commented Dec 2, 2016

@ozen work for me , thanks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment