Я использую простое промежуточное ПО Django для установки заголовков контроля доступа.
class CorsMoiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
response["Access-Control-Allow-Origin"] = "*"
response["Access-Control-Allow-Credentials"] = True
response["Access-Control-Allow-Methods"] = "GET"
response["Access-Control-Max-Age"] = "3600"
response["Access-Control-Allow-Headers"] = "Content-Type, Accept, X-Requested-With, remember-me"
return response
Используя curl, я четко вижу правильные заголовки.
< HTTP/1.1 200 OK
< Date: Thu, 24 Oct 2019 09:40:35 GMT
< Server: WSGIServer/0.2 CPython/3.7.4
< Content-Type: application/json
< Vary: Accept, Cookie
< Allow: GET, POST, HEAD, OPTIONS
< Access-Control-Allow-Origin: *
< X-Frame-Options: SAMEORIGIN
< Content-Length: 176
< Access-Control-Allow-Credentials: True
< Access-Control-Allow-Methods: GET
< Access-Control-Max-Age: 3600
< Access-Control-Allow-Headers: Content-Type, Accept, X-Requested-With, remember-me
...
Но если я попытаюсьfetch URL из JavaScript, я вижу следующую ошибку в консоли.
Access to fetch at 'http://localhost:8000/api/v1/todo' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.