How to handle cross origin?

Why do we do that?

Browser will poke cross site server with OPTIONS method to determine the access right.

If browser don't see the right header, then it won't take the data.
If server side don't handle OPTIONS method correctly, a server side exception may be raised.

REST

Repository : https://github.com/ccapeng/bookstore_openapi

To handle corss site origin request and response, implement middleware corsapp.middleware.CorsMiddleware

class CorsMiddleware(object):

    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        response = self.get_response(request)
        response["Access-Control-Allow-Origin"] = "*"
        response["Access-Control-Allow-Headers"] = "*"
        response["Access-Control-Allow-Methods"] = "*"

        return response

And adjust settings in bookstore_openapi.settings.py

  MIDDLEWARE = [
      ...
      'corsapp.middleware.CorsMiddleware',
  ]

To bypass cross origin, 3 access control attributes were added to response.

GraphQL

Repository : https://github.com/ccapeng/bookstore_graphQL

To handle corss site origin request and response, implement middleware corsapp.middleware.CorsMiddleware

  class CorsMiddleware(object):

      def __init__(self, get_response):
          self.get_response = get_response

      def __call__(self, request):
          is_graphQL = True if request.path == "/graphql/" else False
          is_method_options = True if request.method == "OPTIONS" else False
          if is_graphQL and is_method_options:
              response = HttpResponse("")
              response["Access-Control-Allow-Origin"] = "*"
              response["Access-Control-Allow-Headers"] = "*"
              response["Access-Control-Allow-Methods"] = "*"
              return response

          response = self.get_response(request)
          if is_graphQL:
              response["Access-Control-Allow-Origin"] = "*"
              response["Access-Control-Allow-Headers"] = "*"
              response["Access-Control-Allow-Methods"] = "*"

          return response

And adjust settings in bookstore_graphql.settings.py

  MIDDLEWARE = [
      ...
      'corsapp.middleware.CorsMiddleware',
  ]

To bypass cross origin, 3 access control attributes were added to response.

gRPC

It's handled by proxy Envoy.

File : envoy-bookstore-grpc.yaml

...
cors:
  allow_origin_string_match:
    - prefix: "*"
  allow_methods: GET, PUT, DELETE, POST, OPTIONS
  allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
  max_age: "1728000"
  expose_headers: custom-header-1,grpc-status,grpc-message
...

PreviousMigrate from REST to gRPC

Last updated 5 years ago

hashtagWhy do we do that?

hashtagREST

hashtagGraphQL

hashtaggRPC

Why do we do that?

REST

GraphQL

gRPC