#34682: System check for CSRF_TRUSTED_ORIGINS raises errors for http://localhost:port. -------------------------------------+------------------------------------- Reporter: RajrupDasid | Owner: nobody Type: Bug | Status: closed Component: Core (System | Version: 4.2 checks) | Resolution: Severity: Normal | worksforme Keywords: csrf_bug, | Triage Stage: csrf_issue, django | Unreviewed Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+------------------------------------- Changes (by Mariusz Felisiak):
* status: new => closed * resolution: => worksforme * component: CSRF => Core (System checks) Old description: > Django version the problem I faced - 4.2.2 > OS - musl linux. > Hi, while I was making a simple blogging website, i encountered with an > issue . > When ever I was sending a post request from my react front-end to Django > proper url it's keeps telling me 403 request forbidden > http://localhost:300 is not in allowed list , but I have already setup > CROS in my django project and I am very sure I did it right way.Adding > crosheaders in installed apps and other configuration , I have went > through some stackoverflow thread to make sure I am doing correctly . > But still i was getting the problem . After some research I've discovered > this stackoverflow thread [https://stackoverflow.com/questions/70508568 > /django-csrf-trusted-origins-not-working-as-expected], it's telling me > that I need to add scheme like 'http://localhost:3000' and has to has the > same thing in allowed domains section. > This is the configuration what i have done after going through that > stackoverflow thread > > CSRF_TRUSTED_ORIGINS = [ > 'http://localhost:3000', > 'http://localhost:8000', > ] > > ALLOWED_HOSTS = ['localhost'] > > CORS_ORIGIN_WHITELIST = [ > 'http://localhost:3000', > 'http://localhost:8000' > ] > > But after this when ever I was trying to reload the application I was > getting keep getting system error " > {{{ > Traceback (most recent call last): > File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner > self.run() > File "/usr/lib/python3.11/threading.py", line 975, in run > self._target(*self._args, **self._kwargs) > File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- > packages/django/utils/autoreload.py", line 64, in wrapper > fn(*args, **kwargs) > File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- > packages/django/core/management/commands/runserver.py", line 133, in > inner_run > self.check(display_num_errors=True) > File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- > packages/django/core/management/base.py", line 556, in check > raise SystemCheckError(msg) > django.core.management.base.SystemCheckError: SystemCheckError: System > check identified some issues: > > ERRORS: > ?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS > setting must start with a scheme (usually http:// or https://) but found > ['http://localhost:3000', 'http://localhost:8000']. See the release notes > for details. > > System check identified 1 issue (0 silenced). > /home/rajrup/projects/bloggy/mrblog/settings.py changed, reloading. > <class 'account.models.User'> > Watching for file changes with StatReloader > Performing system checks... > > Exception in thread django-main-thread: > Traceback (most recent call last): > File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner > self.run() > File "/usr/lib/python3.11/threading.py", line 975, in run > self._target(*self._args, **self._kwargs) > File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- > packages/django/utils/autoreload.py", line 64, in wrapper > fn(*args, **kwargs) > File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- > packages/django/core/management/commands/runserver.py", line 133, in > inner_run > self.check(display_num_errors=True) > File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- > packages/django/core/management/base.py", line 556, in check > raise SystemCheckError(msg) > django.core.management.base.SystemCheckError: SystemCheckError: System > check identified some issues: > > ERRORS: > ?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS > setting must start with a scheme (usually http:// or https://) but found > ['http://localhost:3000', 'http://localhost:8000']. See the release notes > for details. > > }}} > ", > go to this google drive link to check the picture also if you want to > trace the full path - > [https://drive.google.com/drive/folders/1KK8qmgBKKr4dIOwWS8S9w7EAWxLV5zFF?usp=sharing]. > The project it self opensource but i am not giving the link here to make > my first Django bug report clutter free. but if you want I can give you > the project link also, > > to be mentioned when I had downgraded and installed django 3.2.19 and the > error has gone . > To be noted that there is no proper guide to fix such issues or your > documentation lack of this guide. > > Also one thing to mention I have also tried adding http://localhost:3000 > in allowed list but didnot worked. New description: Django version the problem I faced - 4.2.2 OS - musl linux. Hi, while I was making a simple blogging website, i encountered with an issue . When ever I was sending a post request from my react front-end to Django proper url it's keeps telling me 403 request forbidden http://localhost:300 is not in allowed list , but I have already setup CROS in my django project and I am very sure I did it right way.Adding crosheaders in installed apps and other configuration , I have went through some stackoverflow thread to make sure I am doing correctly . But still i was getting the problem . After some research I've discovered this stackoverflow thread [https://stackoverflow.com/questions/70508568 /django-csrf-trusted-origins-not-working-as-expected], it's telling me that I need to add scheme like 'http://localhost:3000' and has to has the same thing in allowed domains section. This is the configuration what i have done after going through that stackoverflow thread {{{ CSRF_TRUSTED_ORIGINS = [ 'http://localhost:3000', 'http://localhost:8000', ] ALLOWED_HOSTS = ['localhost'] CORS_ORIGIN_WHITELIST = [ 'http://localhost:3000', 'http://localhost:8000' ] }}} But after this when ever I was trying to reload the application I was getting keep getting system error " {{{ Traceback (most recent call last): File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner self.run() File "/usr/lib/python3.11/threading.py", line 975, in run self._target(*self._args, **self._kwargs) File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- packages/django/utils/autoreload.py", line 64, in wrapper fn(*args, **kwargs) File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- packages/django/core/management/commands/runserver.py", line 133, in inner_run self.check(display_num_errors=True) File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- packages/django/core/management/base.py", line 556, in check raise SystemCheckError(msg) django.core.management.base.SystemCheckError: SystemCheckError: System check identified some issues: ERRORS: ?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS setting must start with a scheme (usually http:// or https://) but found ['http://localhost:3000', 'http://localhost:8000']. See the release notes for details. System check identified 1 issue (0 silenced). /home/rajrup/projects/bloggy/mrblog/settings.py changed, reloading. <class 'account.models.User'> Watching for file changes with StatReloader Performing system checks... Exception in thread django-main-thread: Traceback (most recent call last): File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner self.run() File "/usr/lib/python3.11/threading.py", line 975, in run self._target(*self._args, **self._kwargs) File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- packages/django/utils/autoreload.py", line 64, in wrapper fn(*args, **kwargs) File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- packages/django/core/management/commands/runserver.py", line 133, in inner_run self.check(display_num_errors=True) File "/home/rajrup/projects/bloggy/env/lib/python3.11/site- packages/django/core/management/base.py", line 556, in check raise SystemCheckError(msg) django.core.management.base.SystemCheckError: SystemCheckError: System check identified some issues: ERRORS: ?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS setting must start with a scheme (usually http:// or https://) but found ['http://localhost:3000', 'http://localhost:8000']. See the release notes for details. }}} ", go to this google drive link to check the picture also if you want to trace the full path - [https://drive.google.com/drive/folders/1KK8qmgBKKr4dIOwWS8S9w7EAWxLV5zFF?usp=sharing]. The project it self opensource but i am not giving the link here to make my first Django bug report clutter free. but if you want I can give you the project link also, to be mentioned when I had downgraded and installed django 3.2.19 and the error has gone . To be noted that there is no proper guide to fix such issues or your documentation lack of this guide. Also one thing to mention I have also tried adding http://localhost:3000 in allowed list but didnot worked. -- Comment: Thanks for the report, however it works for me, it's probably some issue in your code. Please see TicketClosingReasons/UseSupportChannels for ways to get help. -- Ticket URL: <https://code.djangoproject.com/ticket/34682#comment:1> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/010701890076f645-48efb3f0-e3e1-49a9-8d5a-83fe3e975c49-000000%40eu-central-1.amazonses.com.
