Django rest framework and cross origin requests

980 views Asked by At

I try to do some request from a javascript client to rest api build with Django rest framework. All GET request to /api/test are public, then no session or token or watever are needed. All POST to api/test are private and user have to use oauth2

According to the documentation, I have to manage cross origin request with django-core-headers. After installing this module to my django, I've set CORS_ORIGIN_ALLOW_ALL to True but: 1) is it a good practice ? 2) is there a good solution to allow cross origin request only on some points ?

Thanks

1

There are 1 answers

1
Chris Richards On

With django-core-headers you can restrict CORS origins with CORS_ORIGIN_WHITELIST and CORS_ORIGIN_REGEX_WHITELIST. If you don't need to allow arbitrary origins, then set those; otherwise, you're good.

You could, if you wanted to, write a decorator to check origin in your views to see if it matches a desired origin (perhaps something set on whatever model is tracking which users are authorized for POST requests?). But if you're allowing GET requests from any arbitrary origin, and don't care where POST requests come from as long as they are authorized, then you're in the clear--after all, how can you restrict origin if you don't know where clients might make requests from?