How to send non-empty Origin header in POST request if running an app on localhost?

Question

I just upgraded to Django 4 and it includes the ticket 16010 with csrf origin verification changes.

To my knowledge, if you are running an app on localhost, browsers won't send origin (they will send null). So, whenever we run a Django app on localhost, we should expect a header Origin: null in POST requests.

But with the recent change CSRF on localhost can't be validated because of another change - CSRF_TRUSTED_ORIGINS now need to have a scheme. release notes

Is it possible to add a non-empty Origin header when POSTing from localhost?

To be clear, this won't work

from corsheaders.defaults import default_headers

CORS_ALLOW_HEADERS = default_headers + ('Access-Control-Allow-*',)
CORS_ALLOWED_ORIGINS = [
    "http://localhost:8000",
    "http://127.0.0.1:8000",
]
CSRF_TRUSTED_ORIGINS = [
    "http://localhost:8000",
    "http://127.0.0.1:8000",
    ]

<form method="post">
    {% csrf_token %}
</form>

Origin checking failed - null does not match any trusted origins.

Request headers

Host: localhost:8000
Origin: null

Tom Wojcik · Accepted Answer · 2021-12-12T23:12:10.423

0

Origin will be null in many different cases. My problem was that I had

<meta name="referrer" content="no-referrer">

in the base template.

edited Dec 12 '21 at 23:12

answered Dec 12 '21 at 22:41

Tom Wojcik

5,471
4
32
44

How to send non-empty Origin header in POST request if running an app on localhost?

1 Answers1