Closed fenekku closed 6 years ago
Hello,
If that is an exact configuration example, the issue is that the origins specified does not match the Origin header. http://example123.com
will not match http://example.com
. Update the specified origins to http://example123.com
and things should work as you expect.
Cheers, Cory
Oh! The Access-Control-Allow-Origin: http://example.com
(and family) header is only returned for a request with Origin
that matches the allowed policy and no such headers are returned at all for other requests without a matching Origin
. This is probably done:
Does that sound right? I will test tonight.
Thanks!
@fenekku That's on the right track! Let me know how it goes.
It works as intended! Thank you for validating!
Hi,
I must be doing something wrong here. I have a very simple app using
@cross_origin
on a view but CORS headers are not sent back or respected on tests with cURL:I am expecting the call below to fail since only
http://example.com
is allowed and theOrigin
header is being spoofed tohttp://example123.com
. This is what I get however:with Python 3.6.5 I get the same result. I am expecting
Access-Control-Allow-Origin: http://example.com
to be returned from the server but it is not.What is missing? Is this a bug?