Comments (4)
zerolab
commented on June 10, 2024
I suspect this has to do with https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf
It is very much a Django feature, rather than Wagtail/bakerydemo.
Will mark this as closed. Best to continue the discussion the #support channel on Slack
from bakerydemo.
Amondale
commented on June 10, 2024
I suspect this has to do with https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf
It is very much a Django feature, rather than Wagtail/bakerydemo.
Will mark this as closed. Best to continue the discussion the #support channel on Slack
Think I saw a similar issue raised around the gitpod implementation, now that django 4.x is in the requirements.txt, and gitpod requires TLS/SSL, which is where this CSRF issue is coming from. Not sure why it would be so hard to put the required header notation in Wagtail, I will raise the issue in that GH area, you're right it isn't "bakerydemo-specific."
from bakerydemo.
zerolab
commented on June 10, 2024
Not sure why it would be so hard to put the required header notation in Wagtail,
It is not that hard. At the same time there are about a million other non hard things to do, alongside harder, more pressing issues :)
Having said that, CSRF_TRUSTED_ORIGINS is something the developer should control. While we can add the header (probably based on the Site entries), there are plenty of edge cases to cover that frankly make this less apealling in that it will increase the maintenance burden. Say what if you pull the staging or production database which has different hostnames?
In my opinion, this is a documentation issue. 🤔
from bakerydemo.
Amondale
commented on June 10, 2024
Not sure why it would be so hard to put the required header notation in Wagtail,
It is not that hard. At the same time there are about a million other non hard things to do, alongside harder, more pressing issues :)
Having said that,
CSRF_TRUSTED_ORIGINSis something the developer should control. While we can add the header (probably based on the Site entries), there are plenty of edge cases to cover that frankly make this less apealling in that it will increase the maintenance burden. Say what if you pull the staging or production database which has different hostnames?In my opinion, this is a documentation issue. 🤔
All very good points; I noticed a simple workaround was to access the site over http: which doesn't have CSRF exposure, but does have privacy and MITM concerns. Weird that inserting the CSRF_TRUSTED_ORIGINS into the settings/base.py file didn't solve the issue, so I still feel it might be a Wagtail v. Django misunderstanding rather than a doc issue. Django 4.0 did change the style for that insertion (see this 4.0 doc entry)
from bakerydemo.
Related Issues (20)
- Problem with iframe dimensions in paragraph blocks in Streamfields.
- Replace flake8 and isort with ruff HOT 1
- CSP testing setup HOT 9
- Create separate `dev` branch for Wagtail development purposes HOT 2
- modelcluster. ValueError : invalid literal for int() with base 10: 'THU' on locations pages in the admin preview HOT 1
- Inaccurate copyright message in footer HOT 1
- Documents in demo site HOT 1
- Replace ModelAdmin usage with snippets
- MultipleChooserPanel example
- Issues with loading initial data (SearchPromotion)
- Create (or change) a model to use UUID/non-integer for its primary key HOT 2
- Help text of featured sections in homepage repeats the same as in Promo title
- Guys, it uses so old packages. and gives error. I recommend don't use this demo. HOT 1
- Images in all of Wagtail’s supported formats
- Enable `USE_THOUSANDS_SEPARATOR` by default & have some larger test ids HOT 3
- Update Node/NPM libraries (Node 20)
- AttributeError: module 'dotenv' has no attribute 'read_dotenv'. Did you mean: 'load_dotenv'? HOT 3
- exec /code/docker-entrypoint.sh: no such file or directory HOT 1
- migration failed HOT 1
- Fresh install of the bakerydemo using pyenv generates 'KeyError at / <wagtail.images.models.Filter object at 0x10953ef40>' HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bakerydemo.