Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Listing Origin, DNT, or Accept-Encoding as allowed request headers is never necessary #842

Closed
1 task done
jub0bs opened this issue Apr 2, 2023 · 1 comment · Fixed by #851
Closed
1 task done

Listing Origin, DNT, or Accept-Encoding as allowed request headers is never necessary #842

jub0bs opened this issue Apr 2, 2023 · 1 comment · Fixed by #851

Comments

@jub0bs
Copy link

jub0bs commented Apr 2, 2023
edited
Loading

Understanding CORS

  • I have read the resources.

Python Version

No response

Django Version

No response

Package Version

No response

Description

The README explicitly lists "accept-encoding", "dnt", and "origin" in the CORS_ALLOW_HEADERS list:

CORS_ALLOW_HEADERS = [
    # omitted
    "accept-encoding",
    # omitted
    "dnt",
    "origin",
    # omitted
]

However, contrary to popular belief and according to the Fetch standard, allowing those request headers is never necessary. As so-called forbidden request headers, they're indeed handled by the browser, not by the client.

You can safely drop those three elements from that list.
@jub0bs jub0bs changed the title Listing Origin as an allowed request header is never necessary Listing Origin, DNT, or Accept-Encoding as allowed request headers is never necessary Apr 2, 2023
@adamchainz adamchainz mentioned this issue Apr 27, 2023
Merged
@adamchainz
Copy link
Owner

Thank you for the report. I've removed them in #851.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove forbidden headers from allowed headers default adamchainz/django-cors-headers
2 participants
@adamchainz @jub0bs