Question
Spaces Returning Status 403 for Requests Made After Page Loads
- Posted on October 11, 2023
- DjangoDigitalOcean Spaces
Asked by 5074c0a1cee6484c90628da354db39
As of now I have CORS configured for my Spaces bucket to allow origin: * , method GET, and allowed-headers: *.
I also have my Spaces keys set up.
I’m running a Django project on the App-Platform. I have the correct AWS S3 settings configured to connect to my Spaces bucket.
When my application initially loads in a browser all resources called for from Spaces are returned with status 200 and referrer policy: same-origin with no referer in request headers.
However, after initial page load, when css or javascript calls for a resource Spaces returns status 403 with referrer policy: strict-origin-when-cross-origin and a referer: https://my-domain.app.
I’ve tried different CORS settings in my Spaces, and even set up Django-Cors-Headers in my project. Nothing has worked, and I’m pretty confused about why this is happening.
Thanks!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Featured on Community
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
I’ve personally not experienced this issue, but here is what I’ll check in case this happens:
Confirm CORS Configuration in Spaces: Double-check your CORS settings in your Spaces bucket. Ensure that the CORS rules are correctly set to allow the necessary origins, methods, and headers. It’s a good practice to configure more specific CORS settings rather than using a wildcard (*) for security reasons.
Inspect Request Headers: When the issue occurs, take a close look at the request headers, including the
Refererheader. You mentioned that theRefererheader is present with a value of “https://my-domain.app.” Ensure that there are no specific configurations or logic in your Django app that could be causing this header to be added.Django Middleware and Security: Check if you have any Django middleware or security settings that could be affecting the request headers. Some middleware may modify or add headers, potentially causing CORS issues.
Cache and Cookies: Be aware that some browsers might cache CORS-related information. Clear your browser cache or try accessing the resources in an incognito/private browsing window to rule out any local caching issues. Additionally, check for any cookies being set, as they can affect CORS.
Console Errors and Logging: Inspect your browser’s console for any error messages or warnings related to CORS. Also, enable detailed logging in your Django application to capture any relevant information regarding the requests and responses.
CORS Pre-flight Requests: For some types of cross-origin requests (e.g., with certain HTTP methods or headers), the browser sends a pre-flight CORS request (an HTTP OPTIONS request) before making the actual request. Make sure that your CORS settings in Spaces allow these pre-flight requests by including the
OPTIONSHTTP method in your CORS configuration.Test with a Specific Origin: Instead of using a wildcard (*), try specifying the exact origin in your CORS configuration. For example, if your Django app is hosted at “https://my-domain.app,” set the CORS configuration in Spaces to allow only that specific origin.
Update Browser and Libraries: Ensure that your browser is up to date. Sometimes, outdated browsers may not handle CORS headers correctly. Similarly, update any relevant client libraries (e.g., AWS SDK for JavaScript).
Hope that this helps!