Full error:
Access to XMLHttpRequest at 'https://[redacted]/api/get_match_urls/' from origin 'https://trello.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I am making an API call from an extension while at trello.com
I have corsheaders in my INSTALLED_APPS. I have 'corsheaders.middleware.CorsMiddleware' in my middleware as high up as possible. And I have CORS_ORIGIN_ALLOW_ALL set to True. Yes I've tried the alternate alias CORS_ALLOW_ALL_ORIGINS and it still didn't work. Anyone have any ideas?
MIDDLEWARE = [
'debug_toolbar.middleware.DebugToolbarMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
I had a look at the corsheaders.middleware.CorsMiddleware and it seems if you set CORS_ALLOW_ALL_ORIGINS and not CORS_ALLOW_CREDENTIALS it will return Access-Control-Allow-Origin: *, but if you also set CORS_ALLOW_CREDENTIALS then it will return the origin from the request headers.
here is the part of the code that does that
origin = request.META.get("HTTP_ORIGIN")
# omiting the lines in between
if conf.CORS_ALLOW_ALL_ORIGINS and not conf.CORS_ALLOW_CREDENTIALS:
response[ACCESS_CONTROL_ALLOW_ORIGIN] = "*"
else:
response[ACCESS_CONTROL_ALLOW_ORIGIN] = origin
another idea would be also to use CORS_ALLOWED_ORIGIN_REGEXES e.g
CORS_ALLOWED_ORIGIN_REGEXES = [
r".*",
]