diff --git a/InvenTree/InvenTree/settings.py b/InvenTree/InvenTree/settings.py index fbced0fda7..124066d938 100644 --- a/InvenTree/InvenTree/settings.py +++ b/InvenTree/InvenTree/settings.py @@ -31,6 +31,20 @@ DEBUG = True ALLOWED_HOSTS = ['*'] +CORS_ORIGIN_WHITELIST = [ + """ + TODO - Implement a proper CORS whitelist strategy here. + + - The CORS headers should be set per-application and not hard-coded into settings.py + - Provide an external settings.yaml file which defines extra options + - Then the site admin can adjust these without touching tracked files + """ +] + +if DEBUG: + print("Warning: DEBUG mode is enabled, CORS requests are allowed for any domain") + CORS_ORIGIN_ALLOW_ALL = True + if DEBUG: # will output to your console logging.basicConfig( @@ -60,6 +74,7 @@ INSTALLED_APPS = [ 'django_filters', # Extended filter functionality 'dbbackup', # Database backup / restore 'rest_framework', # DRF (Django Rest Framework) + 'corsheaders', # Cross-origin Resource Sharing for DRF 'crispy_forms', # Improved form rendering 'import_export', # Import / export tables to file 'django_cleanup', # Automatically delete orphaned MEDIA files @@ -71,6 +86,7 @@ MIDDLEWARE = [ 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', + 'corsheaders.middleware.CorsMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', diff --git a/requirements.txt b/requirements.txt index dee0690a62..baa43eb7fe 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,6 +2,7 @@ Django==2.2 # Django package psycopg2>=2.8.1 # PostgreSQL package pillow>=5.0.0 # Image manipulation djangorestframework>=3.6.2 # DRF framework +django-cors-headers>=2.5.3 # CORS headers extension for DRF django_filter>=1.0.2 # Extended filtering options django-dbbackup==3.2.0 # Database backup / restore functionality coreapi>=2.3.0 # API documentation