Add CORS domain whitelist

marlonkeating · marlonkeating · commit fbe64c3de52a · 2022-01-12T20:58:56.000-08:00
diff --git a/democracylab/settings.py b/democracylab/settings.py
@@ -50,6 +50,7 @@
     'django.contrib.sitemaps',
     'django.contrib.staticfiles',
     'rest_framework',
+    'corsheaders',
     'taggit',
     'allauth',
     'allauth.account',
@@ -108,6 +109,7 @@
     'whitenoise.middleware.WhiteNoiseMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'corsheaders.middleware.CorsMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
@@ -380,6 +382,10 @@ def read_connection_config(config):
 if CSP_FRAME_SRC is not None:
     CSP_FRAME_SRC = ast.literal_eval(CSP_FRAME_SRC)
 
+CORS_ALLOWED_ORIGIN_PATTERNS = os.environ.get('CORS_ALLOWED_ORIGIN_PATTERNS', None)
+if CORS_ALLOWED_ORIGIN_PATTERNS is not None:
+    CORS_ALLOWED_ORIGIN_REGEXES = ast.literal_eval(CORS_ALLOWED_ORIGIN_PATTERNS)
+
 # Internationalization
 # https://docs.djangoproject.com/en/1.11/topics/i18n/
 
diff --git a/requirements.txt b/requirements.txt
@@ -7,6 +7,7 @@ django-appconf==1.0.2
 django-autofixture==0.12.1
 django-compressor==2.1.1
 django-core==1.4.1
+django-cors-headers==3.10.1
 django-csp==3.7
 django-registration==3.1.2
 django-rq==2.4.1
