Re: [Django] #34682: System check for CSRF_TRUSTED_ORIGINS raises errors for http://localhost:port. (was: Django version 4.2.2 or more over version 4.0 has a major bug related to CSRF_TRUSTED_ORIGINS)
Django
http://localhost:port.
-------------------------------------+-------------------------------------
Reporter: RajrupDasid | Owner: nobody
Type: Bug | Status: closed
Component: Core (System | Version: 4.2
checks) | Resolution:
Severity: Normal | worksforme
Keywords: csrf_bug, | Triage Stage:
csrf_issue, django | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):
* status: new => closed
* resolution: => worksforme
* component: CSRF => Core (System checks)
Old description:
> Django version the problem I faced - 4.2.2
> OS - musl linux.
> Hi, while I was making a simple blogging website, i encountered with an
> issue .
> When ever I was sending a post request from my react front-end to Django
> proper url it's keeps telling me 403 request forbidden
> http://localhost:300 is not in allowed list , but I have already setup
> CROS in my django project and I am very sure I did it right way.Adding
> crosheaders in installed apps and other configuration , I have went
> through some stackoverflow thread to make sure I am doing correctly .
> But still i was getting the problem . After some research I've discovered
> this stackoverflow thread [https://stackoverflow.com/questions/70508568
> /django-csrf-trusted-origins-not-working-as-expected], it's telling me
> that I need to add scheme like 'http://localhost:3000' and has to has the
> same thing in allowed domains section.
> This is the configuration what i have done after going through that
> stackoverflow thread
>
> CSRF_TRUSTED_ORIGINS = [
> 'http://localhost:3000',
> 'http://localhost:8000',
> ]
>
> ALLOWED_HOSTS = ['localhost']
>
> CORS_ORIGIN_WHITELIST = [
> 'http://localhost:3000',
> 'http://localhost:8000'
> ]
>
> But after this when ever I was trying to reload the application I was
> getting keep getting system error "
> {{{
> Traceback (most recent call last):
> File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner
> self.run()
> File "/usr/lib/python3.11/threading.py", line 975, in run
> self._target(*self._args, **self._kwargs)
> File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
> packages/django/utils/autoreload.py", line 64, in wrapper
> fn(*args, **kwargs)
> File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
> packages/django/core/management/commands/runserver.py", line 133, in
> inner_run
> self.check(display_num_errors=True)
> File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
> packages/django/core/management/base.py", line 556, in check
> raise SystemCheckError(msg)
> django.core.management.base.SystemCheckError: SystemCheckError: System
> check identified some issues:
>
> ERRORS:
> ?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS
> setting must start with a scheme (usually http:// or https://) but found
> ['http://localhost:3000', 'http://localhost:8000']. See the release notes
> for details.
>
> System check identified 1 issue (0 silenced).
> /home/rajrup/projects/bloggy/mrblog/settings.py changed, reloading.
> <class 'account.models.User'>
> Watching for file changes with StatReloader
> Performing system checks...
>
> Exception in thread django-main-thread:
> Traceback (most recent call last):
> File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner
> self.run()
> File "/usr/lib/python3.11/threading.py", line 975, in run
> self._target(*self._args, **self._kwargs)
> File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
> packages/django/utils/autoreload.py", line 64, in wrapper
> fn(*args, **kwargs)
> File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
> packages/django/core/management/commands/runserver.py", line 133, in
> inner_run
> self.check(display_num_errors=True)
> File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
> packages/django/core/management/base.py", line 556, in check
> raise SystemCheckError(msg)
> django.core.management.base.SystemCheckError: SystemCheckError: System
> check identified some issues:
>
> ERRORS:
> ?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS
> setting must start with a scheme (usually http:// or https://) but found
> ['http://localhost:3000', 'http://localhost:8000']. See the release notes
> for details.
>
> }}}
> ",
> go to this google drive link to check the picture also if you want to
> trace the full path -
> [https://drive.google.com/drive/folders/1KK8qmgBKKr4dIOwWS8S9w7EAWxLV5zFF?usp=sharing].
> The project it self opensource but i am not giving the link here to make
> my first Django bug report clutter free. but if you want I can give you
> the project link also,
>
> to be mentioned when I had downgraded and installed django 3.2.19 and the
> error has gone .
> To be noted that there is no proper guide to fix such issues or your
> documentation lack of this guide.
>
> Also one thing to mention I have also tried adding http://localhost:3000
> in allowed list but didnot worked.
New description:
Django version the problem I faced - 4.2.2
OS - musl linux.
Hi, while I was making a simple blogging website, i encountered with an
issue .
When ever I was sending a post request from my react front-end to Django
proper url it's keeps telling me 403 request forbidden
http://localhost:300 is not in allowed list , but I have already setup
CROS in my django project and I am very sure I did it right way.Adding
crosheaders in installed apps and other configuration , I have went
through some stackoverflow thread to make sure I am doing correctly .
But still i was getting the problem . After some research I've discovered
this stackoverflow thread [https://stackoverflow.com/questions/70508568
/django-csrf-trusted-origins-not-working-as-expected], it's telling me
that I need to add scheme like 'http://localhost:3000' and has to has the
same thing in allowed domains section.
This is the configuration what i have done after going through that
stackoverflow thread
{{{
CSRF_TRUSTED_ORIGINS = [
'http://localhost:3000',
'http://localhost:8000',
]
ALLOWED_HOSTS = ['localhost']
CORS_ORIGIN_WHITELIST = [
'http://localhost:3000',
'http://localhost:8000'
]
}}}
But after this when ever I was trying to reload the application I was
getting keep getting system error "
{{{
Traceback (most recent call last):
File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner
self.run()
File "/usr/lib/python3.11/threading.py", line 975, in run
self._target(*self._args, **self._kwargs)
File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
packages/django/utils/autoreload.py", line 64, in wrapper
fn(*args, **kwargs)
File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
packages/django/core/management/commands/runserver.py", line 133, in
inner_run
self.check(display_num_errors=True)
File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
packages/django/core/management/base.py", line 556, in check
raise SystemCheckError(msg)
django.core.management.base.SystemCheckError: SystemCheckError: System
check identified some issues:
ERRORS:
?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS
setting must start with a scheme (usually http:// or https://) but found
['http://localhost:3000', 'http://localhost:8000']. See the release notes
for details.
System check identified 1 issue (0 silenced).
/home/rajrup/projects/bloggy/mrblog/settings.py changed, reloading.
<class 'account.models.User'>
Watching for file changes with StatReloader
Performing system checks...
Exception in thread django-main-thread:
Traceback (most recent call last):
File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner
self.run()
File "/usr/lib/python3.11/threading.py", line 975, in run
self._target(*self._args, **self._kwargs)
File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
packages/django/utils/autoreload.py", line 64, in wrapper
fn(*args, **kwargs)
File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
packages/django/core/management/commands/runserver.py", line 133, in
inner_run
self.check(display_num_errors=True)
File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-
packages/django/core/management/base.py", line 556, in check
raise SystemCheckError(msg)
django.core.management.base.SystemCheckError: SystemCheckError: System
check identified some issues:
ERRORS:
?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS
setting must start with a scheme (usually http:// or https://) but found
['http://localhost:3000', 'http://localhost:8000']. See the release notes
for details.
}}}
",
go to this google drive link to check the picture also if you want to
trace the full path -
[https://drive.google.com/drive/folders/1KK8qmgBKKr4dIOwWS8S9w7EAWxLV5zFF?usp=sharing].
The project it self opensource but i am not giving the link here to make
my first Django bug report clutter free. but if you want I can give you
the project link also,
to be mentioned when I had downgraded and installed django 3.2.19 and the
error has gone .
To be noted that there is no proper guide to fix such issues or your
documentation lack of this guide.
Also one thing to mention I have also tried adding http://localhost:3000
in allowed list but didnot worked.
--
Comment:
Thanks for the report, however it works for me, it's probably some issue
in your code. Please see TicketClosingReasons/UseSupportChannels for ways
to get help.
--
Ticket URL: <https://code.djangoproject.com/ticket/34682#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.