U tb@sddlmZddlZddlmZddlmZmZddlm Z m Z ddl m Z ddl mZddlmZdd lmZd Zd Zd Zd ZdZdZGdddeZGdddeZdS)) annotationsN)Any) ParseResulturlparse) HttpRequest HttpResponse)patch_vary_headers)MiddlewareMixin)conf)check_request_enabledzAccess-Control-Allow-OriginzAccess-Control-Expose-Headersz Access-Control-Allow-CredentialszAccess-Control-Allow-HeaderszAccess-Control-Allow-MethodszAccess-Control-Max-Agec@sBeZdZdddddZdddddZdddddd d d Zd S) CorsPostCsrfMiddlewarerNonerequestreturncCs0tjr,d|jkr,|jd}||jd<|jd=dS)zj Put the HTTP_REFERER back to its original value and delete the temporary storage ORIGINAL_HTTP_REFERER HTTP_REFERERN)r CORS_REPLACE_HTTPS_REFERERMETA)selfr http_refererr:/tmp/pip-unpacked-wheel-h03uz43q/corsheaders/middleware.py_https_referer_replace_reverses  z5CorsPostCsrfMiddleware._https_referer_replace_reversecCs||dSNrrrrrrprocess_request!s z&CorsPostCsrfMiddleware.process_requestrrcallback callback_argscallback_kwargsrcCs||dSrrrrrr r!rrr process_view%s z#CorsPostCsrfMiddleware.process_viewN)__name__ __module__ __qualname__rrr#rrrrr s r c@seZdZdddddZdddddZdd d d dd d d Zdd d dddZddddddZdddddZdddddZ dddddZ ddddd Z d!S)"CorsMiddlewarerr rcCs|jd}|r|rd|jkrt|}tjs@|||s@dSz<|jd}d|jd}|j|_||jd<||jd<Wntk rYnXdS)a When https is enabled, django CSRF checking includes referer checking which breaks when using CORS. This function updates the HTTP_REFERER header to make sure it matches HTTP_HOST, provided that our cors logic succeeds HTTP_ORIGINrNrz https://%s/Z HTTP_HOST) rgetZ is_securerr CORS_ALLOW_ALL_ORIGINSorigin_found_in_white_listscopyKeyError)rroriginurlrZ http_hostrrr_https_referer_replace1s*     z%CorsMiddleware._https_referer_replacezHttpResponse | NonecCsL|||_|jrHtjr"|||jdkrHd|jkrHt}d|d<|SdS)a If CORS preflight header, then create an empty body response (200 OK) and return it Django won't bother calling any other request view/exception middleware along with the requested view; it will call any response middlewares OPTIONSZ"HTTP_ACCESS_CONTROL_REQUEST_METHOD0zContent-LengthN) is_enabled _cors_enabledr rr0methodrr)rrresponserrrrPs  zCorsMiddleware.process_requestrrcCs|jrtjr||dS)z9 Do the referer replacement here as well N)r4r rr0r"rrrr#gs  zCorsMiddleware.process_viewr)rr6rcCst|dd}|dkr||}|s&|St|dg|jd}|sF|Sz t|}Wntk rj|YSXtjrzd|t <tj s| ||s| |s|Stj rtjsd|t <n||t <ttjrdtj|t<|jdkrdtj|t<dtj|t<tjrttj|t<|S) z1 Add the respective CORS headers r4NZOriginr(true*z, r1)getattrr3rrr)r ValueErrorr ZCORS_ALLOW_CREDENTIALS ACCESS_CONTROL_ALLOW_CREDENTIALSr*r+ check_signalACCESS_CONTROL_ALLOW_ORIGINlenZCORS_EXPOSE_HEADERSjoinACCESS_CONTROL_EXPOSE_HEADERSr5ZCORS_ALLOW_HEADERSACCESS_CONTROL_ALLOW_HEADERSZCORS_ALLOW_METHODSACCESS_CONTROL_ALLOW_METHODSZCORS_PREFLIGHT_MAX_AGEstrACCESS_CONTROL_MAX_AGE)rrr6enabledr.r/rrrprocess_responseusF           zCorsMiddleware.process_responserCrbool)r.r/rcCs&|dkr|tjkp$||p$||S)Nnull)r CORS_ALLOWED_ORIGINS_url_in_whitelistregex_domain_match)rr.r/rrrr+s z*CorsMiddleware.origin_found_in_white_lists)r.rcstfddtjDS)Nc3s|]}t|VqdSr)rematch).0Zdomain_patternr.rr sz4CorsMiddleware.regex_domain_match..)anyr ZCORS_ALLOWED_ORIGIN_REGEXES)rr.rrOrrKs z!CorsMiddleware.regex_domain_matchcCstttj|jp||Sr)rGrLrMr ZCORS_URLS_REGEXZ path_infor<rrrrr3s zCorsMiddleware.is_enabledcCs tjd|d}tdd|DS)N)Zsenderrcss|]\}}|VqdSrr)rNfunctionZ return_valuerrrrPsz.CorsMiddleware.check_signal..)r sendrQ)rrZsignal_responsesrrrr<szCorsMiddleware.check_signal)r/rcs&ddtjD}tfdd|DS)NcSsg|] }t|qSr)r)rNorrr sz4CorsMiddleware._url_in_whitelist..c3s&|]}|jjko|jjkVqdSr)schemenetloc)rNr.r/rrrPsz3CorsMiddleware._url_in_whitelist..)r rIrQ)rr/ZoriginsrrXrrJs z CorsMiddleware._url_in_whitelistN) r$r%r&r0rr#rFr+rKr3r<rJrrrrr'0s4r') __future__rrLtypingr urllib.parserrZ django.httprrZdjango.utils.cacherZdjango.utils.deprecationr Zcorsheaders.confr Zcorsheaders.signalsr r=r@r;rArBrDr r'rrrrs