From 68580fcd253da9ab7c0ede4da8ca3e4e86f811ad Mon Sep 17 00:00:00 2001 From: Andrey Zhavoronkov <41117609+azhavoro@users.noreply.github.com> Date: Tue, 3 Dec 2019 19:38:42 +0300 Subject: [PATCH] set CORS_REPLACE_HTTPS_REFERER option to True (#895) --- cvat/requirements/base.txt | 2 +- cvat/settings/base.py | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/cvat/requirements/base.txt b/cvat/requirements/base.txt index 3c8c5d52617d..478b9b0d2ef0 100644 --- a/cvat/requirements/base.txt +++ b/cvat/requirements/base.txt @@ -45,5 +45,5 @@ keras==2.2.5 opencv-python==4.1.0.25 h5py==2.9.0 imgaug==0.2.9 -django-cors-headers==3.0.2 +django-cors-headers==3.2.0 furl==2.0.0 diff --git a/cvat/settings/base.py b/cvat/settings/base.py index 54d2e281aa56..689a8eab68e6 100644 --- a/cvat/settings/base.py +++ b/cvat/settings/base.py @@ -174,13 +174,15 @@ def generate_ssh_keys(): MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', + 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', + # FIXME + # 'corsheaders.middleware.CorsPostCsrfMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'dj_pagination.middleware.PaginationMiddleware', - 'corsheaders.middleware.CorsMiddleware', ] # Cross-Origin Resource Sharing settings for CVAT UI @@ -191,6 +193,7 @@ def generate_ssh_keys(): CSRF_TRUSTED_ORIGINS = [UI_HOST] UI_URL = '{}://{}:{}'.format(UI_SCHEME, UI_HOST, UI_PORT) CORS_ORIGIN_WHITELIST = [UI_URL] +CORS_REPLACE_HTTPS_REFERER = True STATICFILES_FINDERS = [ 'django.contrib.staticfiles.finders.FileSystemFinder',