ridoo
commented
3 months ago @t-book while you are here, wouldn't it make sense to sync all CORS settings? https://pypi.org/project/django-cors-headers allows to configure more CORS settings which are configured in nginx also, e.g.
CORS_ALLOW_METHODSCORS_ALLOW_HEADERSCORS_PREFLIGHT_MAX_AGECORS_ALLOW_CREDENTIALS- and more
However, all these can be set from settings.py but they are not part of the .env file. Introducing all of them would blow up things, IMO. This only because we want to sync GeoNode CORS settings with nginx CORS settings? Maybe I did not understand why we would need to protect other (static) resources served by nginx rather than just let Django do its job.
@giohappy sorry for not (yet) being convinced here :)
@giohappy @ridoo
I'd suggest to add the header for now as geoserver does (with Tomcat). As said in the ticket django-cors-headers is enabled with django in case somebody uses some other fe server than nginx
My take on this is:
If
CORS_ALLOW_ALL_ORIGINS = Truehttps://github.com/GeoNode/geonode/blob/684a1f3572a39b6ab8ba5a6ce7ea4d96fc739c8c/.env.sample#L134
we set the wildcard and all origins will be allowed
Else the domain name of SITEURL will be set https://github.com/GeoNode/geonode/blob/684a1f3572a39b6ab8ba5a6ce7ea4d96fc739c8c/.env.sample#L44