From 69efcb193e75d034e602fcfcbf77be128d9fcb15 Mon Sep 17 00:00:00 2001 From: Santos Gallegos Date: Thu, 21 Sep 2023 10:52:37 -0500 Subject: [PATCH] Fix CORS headers in local dev (#10761) Minion is setting these headers, and the final response will include duplicate headers, this isn't allowed. --- dockerfiles/nginx/proxito.conf.template | 13 +++++++++++++ readthedocs/settings/docker_compose.py | 3 --- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/dockerfiles/nginx/proxito.conf.template b/dockerfiles/nginx/proxito.conf.template index be276fdb4a2..f77b84cee26 100644 --- a/dockerfiles/nginx/proxito.conf.template +++ b/dockerfiles/nginx/proxito.conf.template @@ -76,12 +76,25 @@ server { add_header Permissions-Policy $permissions_policy always; set $feature_policy $upstream_http_feature_policy; add_header Feature-Policy $feature_policy always; + + # CORS headers. + # Minio sets these headers, and we don't want to copy + # them to the response, since our application sets them. + proxy_hide_header Access-Control-Allow-Credentials; + proxy_hide_header Access-Control-Expose-Headers; + + proxy_hide_header Access-Control-Allow-Origin; set $access_control_allow_origin $upstream_http_access_control_allow_origin; add_header Access-Control-Allow-Origin $access_control_allow_origin always; + + proxy_hide_header Access-Control-Allow-Headers; set $access_control_allow_headers $upstream_http_access_control_allow_headers; add_header Access-Control-Allow-Headers $access_control_allow_headers always; + + proxy_hide_header Access-Control-Allow-Methods; set $access_control_allow_methods $upstream_http_access_control_allow_methods; add_header Access-Control-Allow-Methods $access_control_allow_methods always; + set $x_frame_options $upstream_http_x_frame_options; add_header X-Frame-Options $x_frame_options always; set $x_content_type_options $upstream_http_x_content_type_options; diff --git a/readthedocs/settings/docker_compose.py b/readthedocs/settings/docker_compose.py index 89d508e79e7..9ff216fac2f 100644 --- a/readthedocs/settings/docker_compose.py +++ b/readthedocs/settings/docker_compose.py @@ -217,8 +217,5 @@ def DATABASES(self): # noqa # This limit is mostly hit on large forms in the Django admin DATA_UPLOAD_MAX_NUMBER_FIELDS = None - # This allows us to have CORS work well in dev - CORS_ORIGIN_ALLOW_ALL = True - DockerBaseSettings.load_settings(__name__)