Skip to content

Instantly share code, notes, and snippets.

@strogonoff

strogonoff/middleware.py

Created November 16, 2011 08:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save strogonoff/1369619 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save strogonoff/1369619 to your computer and use it in GitHub Desktop.
Download ZIP
Django middleware for cross-domain XHR. WARNING: Defaults are unsafe here. Make sure to set proper restrictions in production!
Raw
middleware.py
from django import http
try:
from django.conf import settings
XS_SHARING_ALLOWED_ORIGINS = settings.XS_SHARING_ALLOWED_ORIGINS
XS_SHARING_ALLOWED_METHODS = settings.XS_SHARING_ALLOWED_METHODS
XS_SHARING_ALLOWED_HEADERS = settings.XS_SHARING_ALLOWED_HEADERS
XS_SHARING_ALLOWED_CREDENTIALS = settings.XS_SHARING_ALLOWED_CREDENTIALS
except AttributeError:
XS_SHARING_ALLOWED_ORIGINS = '*'
XS_SHARING_ALLOWED_METHODS = ['POST', 'GET', 'OPTIONS', 'PUT', 'DELETE']
XS_SHARING_ALLOWED_HEADERS = ['Content-Type', '*']
XS_SHARING_ALLOWED_CREDENTIALS = 'true'
class XsSharing(object):
"""
This middleware allows cross-domain XHR using the html5 postMessage API.
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Based off https://gist.github.com/426829
"""
def process_request(self, request):
if 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' in request.META:
response = http.HttpResponse()
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
response['Access-Control-Allow-Headers'] = ",".join( XS_SHARING_ALLOWED_HEADERS )
response['Access-Control-Allow-Credentials'] = XS_SHARING_ALLOWED_CREDENTIALS
return response
return None
def process_response(self, request, response):
response['Access-Control-Allow-Origin'] = XS_SHARING_ALLOWED_ORIGINS
response['Access-Control-Allow-Methods'] = ",".join( XS_SHARING_ALLOWED_METHODS )
response['Access-Control-Allow-Headers'] = ",".join( XS_SHARING_ALLOWED_HEADERS )
response['Access-Control-Allow-Credentials'] = XS_SHARING_ALLOWED_CREDENTIALS
return response
@adamjgrant
Copy link

adamjgrant commented Oct 16, 2012

And what is meant by "below config"?

@defulmere
Copy link

defulmere commented Oct 16, 2012

Where does this middleware folder go?

Anywhere that it can be picked up on your Python search path.

What should be in init.py?

Nothing. The presence of an empty __init__.py file in a directory is sufficient to allow the directory to be treated as a Python module (and thus allow the middleware to be imported).

And what is meant by "below config"?

Hmm, not too clear on that one, but I suspect that if you put those variables somewhere below MIDDLEWARE_CLASSES in your settings.py, you'll be OK.

@phoebebright
Copy link

phoebebright commented Nov 1, 2012

This worked for me when I was getting blank response using jquery and tastypie. Thank you so much!

@kdahlhaus
Copy link

kdahlhaus commented Apr 9, 2013

I had to add the extra auth headers and then this worked great! Couldn't get the other GIST about CORSResource for Tastypie to work. This is how I configured it:

XS_SHARING_ALLOWED_HEADERS = ['authorization']  # IF START SEEING ERRORS HERE must DUPLICATE ' Access-Control-Request-Headers' from request see https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS

@mesuutt
Copy link

mesuutt commented Jan 10, 2014

There is any special reason you assign variables outside class instead of init of the class ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment