Create a gist now

Instantly share code, notes, and snippets.

Middlware to allow's your django server to respond appropriately to cross domain XHR (postMessage html5 API).
import re
from django.utils.text import compress_string
from django.utils.cache import patch_vary_headers
from django import http
try:
import settings
XS_SHARING_ALLOWED_ORIGINS = settings.XS_SHARING_ALLOWED_ORIGINS
XS_SHARING_ALLOWED_METHODS = settings.XS_SHARING_ALLOWED_METHODS
except:
XS_SHARING_ALLOWED_ORIGINS = '*'
XS_SHARING_ALLOWED_METHODS = ['POST','GET','OPTIONS', 'PUT', 'DELETE']
class XsSharing(object):
"""
This middleware allows cross-domain XHR using the html5 postMessage API.
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
"""
def process_request(self, request):
if 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' in request.META:
response = http.HttpResponse()
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
return response
return None
def process_response(self, request, response):
# Avoid unnecessary work
if response.has_header('Access-Control-Allow-Origin'):
return response
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
return response
@timsloan

Thanks. This helped a lot.

@sandinmyjoints

This is great, thanks!

@jessykate

awesome, thanks a lot!

@axelpale

Very nice, thank you! If I must say something constructive, I would name the class to XsSharingMiddleware. Middleware-postfix seems to be the convention amongst Django middlewares. For example: 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware'. And what does Xs mean? Anyway, thanks for the gist, I will put it to good use :)

@barrabinfc
Owner

Thanks @doph. I will rewrite, but anyway, i'm not working with django anymore for a long time, so if you want to fork and maintain this snippet updated with django, i will appreciate a lot!

The "xs" suffix was just a "gotcha" with XSS. I could name it XssSharing , but i prefer to let the last 's' mixed with sharing. You can rename as you like.

@jessykate

@doph @frangossauro i've been using this awesome gist and customized it a bit to support allowed headers, which i needed to make CORS work for my project. you can see my fork here: https://gist.github.com/2941258

@nybatista

made my day. thanks alot

@ondrejsika

Thanks

@manuganji

Thanks for this! :)

@Sascuash

Thanks, that's really helpful.

Quick question: What changes should I make in order to allow certain urls of my site to be "open" for cors?

@Mbrownshoes

I'm trying to get this going but still get this error when I load my site

XMLHttpRequest cannot load http://localhost:8080/geoserver/wfs. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.

My settings.py file
XS_SHARING_ALLOWED_ORIGINS = 'http://localhost:8080, http://127.0.0.1:8000/'
XS_SHARING_ALLOWED_METHODS = "POST, GET, OPTIONS, PUT, DELETE"

Any help would be greatly appreciated!

@ozen

@Mbrownshoes multiple origins are not allowed. I changed XS_SHARING_ALLOWED_ORIGINS into a list and add the following code to the middleware:

        if 'HTTP_ORIGIN' in request.META:
            for origin in settings.XS_SHARING_ALLOWED_ORIGINS:
                if origin == request.META['HTTP_ORIGIN']:
                    response['Access-Control-Allow-Origin'] = origin
                    break

It looks into the list and add the allowed-origin header only for the current origin if it is in the list.

@Adrihein

Wonderful, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment