set CORS_REPLACE_HTTPS_REFERER option to True (#895)

6 years ago · 0e7845a1e6
parent a71d4d4327
commit 0e7845a1e6
2 changed files with 5 additions and 2 deletions
--- a/cvat/requirements/base.txt
+++ b/cvat/requirements/base.txt
@ -45,5 +45,5 @@ keras==2.2.5
 opencv-python==4.1.0.25
 h5py==2.9.0
 imgaug==0.2.9
-django-cors-headers==3.0.2
+django-cors-headers==3.2.0
 furl==2.0.0
--- a/cvat/settings/base.py
+++ b/cvat/settings/base.py
@ -174,13 +174,15 @@ if 'yes' == os.environ.get('AUTO_SEGMENTATION', 'no'):
 MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
+    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
+    # FIXME
+    # 'corsheaders.middleware.CorsPostCsrfMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'dj_pagination.middleware.PaginationMiddleware',
-    'corsheaders.middleware.CorsMiddleware',
 ]

 # Cross-Origin Resource Sharing settings for CVAT UI
@ -191,6 +193,7 @@ CORS_ALLOW_CREDENTIALS = True
 CSRF_TRUSTED_ORIGINS = [UI_HOST]
 UI_URL = '{}://{}:{}'.format(UI_SCHEME, UI_HOST, UI_PORT)
 CORS_ORIGIN_WHITELIST = [UI_URL]
+CORS_REPLACE_HTTPS_REFERER = True

 STATICFILES_FINDERS = [
    'django.contrib.staticfiles.finders.FileSystemFinder',