search

fanout / django-eventstream

Server-Sent Events for Django
MIT License
650 stars 85 forks source link

has been blocked by CORS policy: Request header field cache-control is not allowed by Access-Control-Allow-Headers in preflight response. #45

Closed softmarshmallow closed 3 years ago

softmarshmallow commented 4 years ago

has been blocked by CORS policy: Request header field cache-control is not allowed by Access-Control-Allow-Headers in preflight response.

settings.py

EVENTSTREAM_ALLOW_ORIGIN = "*"
EVENTSTREAM_ALLOW_CREDENTIALS = False

# this is for corsheaders (pip)
CORS_ORIGIN_ALLOW_ALL = True

is something wrong with the setitng? or its causing cors iissue cause it's asgi? other api are worling file, just /event does not work..

jkarneges commented 4 years ago

Which client/browser is giving this error? Are you able to see the request method? Since it says "preflight", I wonder if it's using OPTIONS.

This really feels like the job of django-cors-headers. Unfortunately that library seems to be incompatible with channels/ASGI.

piotrsynowiec commented 4 years ago

Here's the solution: https://stackoverflow.com/questions/45118468/request-header-field-cache-control-is-not-allowed-by-access-control-allow-header

You probably need to add this to settings.py:

from corsheaders.defaults import default_headers

CORS_ALLOW_HEADERS = default_headers + ('cache-control',)

the last one is what you need, the rest I assume is default.

tramora commented 3 years ago

Hi, this issue is more than 1 year old now ...

I'm facing it again because for security concern I have to pass an auth token from the front to the back.

The preflight req (OPTIONS) fails because the back does not return the 'Access-Control-Allow-Headers: Authorization' header and as warned by @jkarneges django-cors-headers and channels/ASGI are not compatible (CORS_ALLOW_HEADERS param does not have any effect)

A possible workaround for me is to patch django_eventstream and add 

    headers['Access-Control-Allow-Headers'] = 'Authorization'

in _utils.py::augment_corsheaders(headers)

It would be nice @jkarneges if we could add a new EVENTSTREAM_ALLOW_HEADERS in django_eventstream version > 4.0.0

jkarneges commented 3 years ago

Hmm, yes I suppose we should add this. I'll have a look.

jkarneges commented 3 years ago

Added in 4.1.0.

latifyahia commented 3 years ago

has anyone fixed this problem yet? tried the solutions provided but no luck

tramora commented 3 years ago

Hi @latifyahia, What is your exact issue ? What is the header that is not set in the preflight response ? (http OPTIONS) ? The new EVENTSTREAM_ALLOW_HEADERS parameter added in 4.1.0 works well for me (thanx @jkarneges). I need to set its value specifically to 'Authorization' because I'm doing SSE with authorization token via this header. If you need another header, feel free to change the value

Jay206-Programmer commented 2 years ago

I need to set multiple headers for my preflight response Ex: username, userid, pagename etc. How can I achieve that? Because as far as I know the EVENTSTREAM_ALLOW_HEADERS only takes a single string.