Django CORS 允许来自不允许来源的请求
Django CORS allowing requests from non-allowed origin
我有 Django CORS 运行 一个允许的来源列表,如下所示:
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOWED_ORIGINS = [
'http://127.0.0.1:8000',
'http://127.0.0.1:3000',
]
然而,如果我在终端中使用 Python 的 requests 库请求此请求,它仍然允许该请求。我什至尝试过只允许来自 https://google.com 的请求,但它仍然允许我使用我的 API.
这是为什么? (我还是 Django 的新手,如果这是一个不好的问题,我很抱歉)
这里是一些其他设置
已安装的应用:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
# internal
'my_app1',
'my_app2',
'my_app3',
# third party
'rest_framework',
'corsheaders',
'debug_toolbar',
]
中间件:
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'debug_toolbar.middleware.DebugToolbarMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django_user_agents.middleware.UserAgentMiddleware',
]
来自 mozilla CORS docs
Cross-Origin Resource Sharing (CORS) is a mechanism that uses
additional HTTP headers to tell browsers to give a web application
running at one origin, access to selected resources from a different
origin.
这是浏览器机制,与 API 保护无关,从某种意义上说你误解了它
我有 Django CORS 运行 一个允许的来源列表,如下所示:
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOWED_ORIGINS = [
'http://127.0.0.1:8000',
'http://127.0.0.1:3000',
]
然而,如果我在终端中使用 Python 的 requests 库请求此请求,它仍然允许该请求。我什至尝试过只允许来自 https://google.com 的请求,但它仍然允许我使用我的 API.
这是为什么? (我还是 Django 的新手,如果这是一个不好的问题,我很抱歉)
这里是一些其他设置
已安装的应用:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
# internal
'my_app1',
'my_app2',
'my_app3',
# third party
'rest_framework',
'corsheaders',
'debug_toolbar',
]
中间件:
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'debug_toolbar.middleware.DebugToolbarMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django_user_agents.middleware.UserAgentMiddleware',
]
来自 mozilla CORS docs
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin.
这是浏览器机制,与 API 保护无关,从某种意义上说你误解了它