cors policy error : Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin

Question

I have installed django-cors-headers and this is settings.py :

    ALLOWED_HOSTS = os.environ.get("ALLOWED_HOSTS","").split()

MIDDLEWARE = [
    
    'django.middleware.security.SecurityMiddleware',
    
    'django.contrib.sessions.middleware.SessionMiddleware',
    'corsheaders.middleware.CorsMiddleware',
    
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.RemoteUserMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

and also :

    CORS_ALLOW_ALL_ORIGINS = True  
CORS_ALLOW_CREDENTIALS = True

but i got this error in chrome consloe:

Access to XMLHttpRequest at 'https://event-alpha.mizbans.com/api/meetings/?memory=0' from origin 'https://alpha.mizbans.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

"CorsMiddleware should be placed as high as possible, especially before any middleware that can generate responses such as Django's CommonMiddleware or Whitenoise's WhiteNoiseMiddleware. If it is not before, it will not be able to add the CORS headers to these responses." Try to move `'corsheaders.middleware.CorsMiddleware',` to the top of the list. — lucutzu33, Oct 03 '21 at 18:16
Check out the answers here https://stackoverflow.com/questions/28046422/django-cors-headers-not-work — lucutzu33, Oct 03 '21 at 18:31

score 0 · Answer 1 · answered Oct 03 '21 at 18:34

0

I had a similar issue and it was all about CORS_ALLOW_ALL_ORIGINS. It turns out it doesn't work well with something else (sorry don't remember what anymore, maybe authentication). So i Had to add specific origins. This is my entire setup:

# CORS SETUP
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOWED_ORIGINS = [
    'http://localhost:4200',
    'http://127.0.0.1:4200'
]

CSRF_COOKIE_HTTPONLY = True
SESSION_COOKIE_HTTPONLY = True

SESSION_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SAMESITE = 'None'

For me it works now with this combination.

answered Oct 03 '21 at 18:34

Branko Radojevic

660
1
5
14

1

still not working:( – Niloofar Oct 03 '21 at 18:40
You need to add your host to the list of origins: https://alpha.mizbans.com. Allow all origins is generally bad idea that won't work if you have authentication (AFAIR) – Branko Radojevic Oct 05 '21 at 08:11
I am using dj rest auth to login and send jwt to another service to login and register and it works fine my pc but i get cors policy error on the deployed version so maybe thats what causes the issue? – Niloofar Oct 05 '21 at 15:33
Have you listed your deployed servers like I suggested? – Branko Radojevic Oct 06 '21 at 07:12

cors policy error : Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin

1 Answers1