Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Django middleware for cross-domain XHR. WARNING: Defaults are unsafe here. Make sure to set proper restrictions in production!
from django import http
try:
from django.conf import settings
XS_SHARING_ALLOWED_ORIGINS = settings.XS_SHARING_ALLOWED_ORIGINS
XS_SHARING_ALLOWED_METHODS = settings.XS_SHARING_ALLOWED_METHODS
XS_SHARING_ALLOWED_HEADERS = settings.XS_SHARING_ALLOWED_HEADERS
XS_SHARING_ALLOWED_CREDENTIALS = settings.XS_SHARING_ALLOWED_CREDENTIALS
except AttributeError:
XS_SHARING_ALLOWED_ORIGINS = '*'
XS_SHARING_ALLOWED_METHODS = ['POST', 'GET', 'OPTIONS', 'PUT', 'DELETE']
XS_SHARING_ALLOWED_HEADERS = ['Content-Type', '*']
XS_SHARING_ALLOWED_CREDENTIALS = 'true'
class XsSharing(object):
"""
This middleware allows cross-domain XHR using the html5 postMessage API.
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Based off https://gist.github.com/426829
"""
def process_request(self, request):
if 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' in request.META:
response = http.HttpResponse()
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
response['Access-Control-Allow-Headers'] = ",".join( XS_SHARING_ALLOWED_HEADERS )
response['Access-Control-Allow-Credentials'] = XS_SHARING_ALLOWED_CREDENTIALS
return response
return None
def process_response(self, request, response):
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
response['Access-Control-Allow-Headers'] = ",".join( XS_SHARING_ALLOWED_HEADERS )
response['Access-Control-Allow-Credentials'] = XS_SHARING_ALLOWED_CREDENTIALS
return response
@timus

This comment has been minimized.

Copy link

timus commented May 11, 2012

Where to put this codes?

@jpatel3

This comment has been minimized.

Copy link

jpatel3 commented Oct 13, 2012

  1. Make folder called middleware and create a file called crossdomainxhr.py (copy above code under that file)
  2. add init.py file under middleware so django can pickup it as module.
  3. Add .middleware.crossdomainxhr.XsSharing in MIDDLEWARE_CLASSES section
@jpatel3

This comment has been minimized.

Copy link

jpatel3 commented Oct 13, 2012

And add below config in settings -

XS_SHARING_ALLOWED_ORIGINS = "http://127.0.0.1:88"
XS_SHARING_ALLOWED_METHODS = ['POST','GET','OPTIONS', 'PUT', 'DELETE']

@adamjgrant

This comment has been minimized.

Copy link

adamjgrant commented Oct 16, 2012

  1. Where does this middleware folder go?
  2. What should be in init.py?
@adamjgrant

This comment has been minimized.

Copy link

adamjgrant commented Oct 16, 2012

And what is meant by "below config"?

@defulmere

This comment has been minimized.

Copy link

defulmere commented Oct 16, 2012

Where does this middleware folder go?

Anywhere that it can be picked up on your Python search path.

What should be in init.py?

Nothing. The presence of an empty __init__.py file in a directory is sufficient to allow the directory to be treated as a Python module (and thus allow the middleware to be imported).

And what is meant by "below config"?

Hmm, not too clear on that one, but I suspect that if you put those variables somewhere below MIDDLEWARE_CLASSES in your settings.py, you'll be OK.

@phoebebright

This comment has been minimized.

Copy link

phoebebright commented Nov 1, 2012

This worked for me when I was getting blank response using jquery and tastypie. Thank you so much!

@kdahlhaus

This comment has been minimized.

Copy link

kdahlhaus commented Apr 9, 2013

I had to add the extra auth headers and then this worked great! Couldn't get the other GIST about CORSResource for Tastypie to work. This is how I configured it:

XS_SHARING_ALLOWED_HEADERS = ['authorization']  # IF START SEEING ERRORS HERE must DUPLICATE ' Access-Control-Request-Headers' from request see https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
@mesuutt

This comment has been minimized.

Copy link

mesuutt commented Jan 10, 2014

There is any special reason you assign variables outside class instead of init of the class ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.