#34682 closed Bug (worksforme)

System check for CSRF_TRUSTED_ORIGINS raises errors for http://localhost:port.

Reported by: Rajrup Das Owned by: nobody
Component: Core (System checks) Version: 4.2
Severity: Normal Keywords: csrf_bug, csrf_issue, django
Cc: rajrupofficialid@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Mariusz Felisiak)

Django version the problem I faced - 4.2.2
OS - musl linux.
Hi, while I was making a simple blogging website, i encountered with an issue .
When ever I was sending a post request from my react front-end to Django proper url it's keeps telling me 403 request forbidden http://localhost:300 is not in allowed list , but I have already setup CROS in my django project and I am very sure I did it right way.Adding crosheaders in installed apps and other configuration , I have went through some stackoverflow thread to make sure I am doing correctly .
But still i was getting the problem . After some research I've discovered this stackoverflow thread https://stackoverflow.com/questions/70508568/django-csrf-trusted-origins-not-working-as-expected, it's telling me that I need to add scheme like 'http://localhost:3000' and has to has the same thing in allowed domains section.
This is the configuration what i have done after going through that stackoverflow thread

CSRF_TRUSTED_ORIGINS = [
    'http://localhost:3000',
    'http://localhost:8000',
]

ALLOWED_HOSTS = ['localhost']


CORS_ORIGIN_WHITELIST = [
    'http://localhost:3000',
    'http://localhost:8000'
]

But after this when ever I was trying to reload the application I was getting keep getting system error "

Traceback (most recent call last):
  File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.11/threading.py", line 975, in run
    self._target(*self._args, **self._kwargs)
  File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-packages/django/utils/autoreload.py", line 64, in wrapper
    fn(*args, **kwargs)
  File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-packages/django/core/management/commands/runserver.py", line 133, in inner_run
    self.check(display_num_errors=True)
  File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-packages/django/core/management/base.py", line 556, in check
    raise SystemCheckError(msg)
django.core.management.base.SystemCheckError: SystemCheckError: System check identified some issues:

ERRORS:
?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS setting must start with a scheme (usually http:// or https://) but found ['http://localhost:3000', 'http://localhost:8000']. See the release notes for details.

System check identified 1 issue (0 silenced).
/home/rajrup/projects/bloggy/mrblog/settings.py changed, reloading.
<class 'account.models.User'>
Watching for file changes with StatReloader
Performing system checks...

Exception in thread django-main-thread:
Traceback (most recent call last):
  File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.11/threading.py", line 975, in run
    self._target(*self._args, **self._kwargs)
  File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-packages/django/utils/autoreload.py", line 64, in wrapper
    fn(*args, **kwargs)
  File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-packages/django/core/management/commands/runserver.py", line 133, in inner_run
    self.check(display_num_errors=True)
  File "/home/rajrup/projects/bloggy/env/lib/python3.11/site-packages/django/core/management/base.py", line 556, in check
    raise SystemCheckError(msg)
django.core.management.base.SystemCheckError: SystemCheckError: System check identified some issues:

ERRORS:
?: (4_0.E001) As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS setting must start with a scheme (usually http:// or https://) but found ['http://localhost:3000', 'http://localhost:8000']. See the release notes for details.

",
go to this google drive link to check the picture also if you want to trace the full path -

https://drive.google.com/drive/folders/1KK8qmgBKKr4dIOwWS8S9w7EAWxLV5zFF?usp=sharing.

The project it self opensource but i am not giving the link here to make my first Django bug report clutter free. but if you want I can give you the project link also,

to be mentioned when I had downgraded and installed django 3.2.19 and the error has gone .
To be noted that there is no proper guide to fix such issues or your documentation lack of this guide.

Also one thing to mention I have also tried adding http://localhost:3000 in allowed list but didnot worked.

Attachments (1)

django_4.2.1_bug_in_csrf_site_checking.png (202.2 KB ) - added by Rajrup Das 18 months ago.
If you don't want to follow google drive picture link I am pasting the full error detailed screenshot in here . Please check and traceout and fix the issue .

Download all attachments as: .zip

Change History (2)

by Rajrup Das, 18 months ago

If you don't want to follow google drive picture link I am pasting the full error detailed screenshot in here . Please check and traceout and fix the issue .

comment:1 by Mariusz Felisiak, 18 months ago

Component: CSRFCore (System checks)
Description: modified (diff)
Resolution: worksforme
Status: newclosed
Summary: Django version 4.2.2 or more over version 4.0 has a major bug related to CSRF_TRUSTED_ORIGINSSystem check for CSRF_TRUSTED_ORIGINS raises errors for http://localhost:port.

Thanks for the report, however it works for me, it's probably some issue in your code. Please see TicketClosingReasons/UseSupportChannels for ways to get help.

Note: See TracTickets for help on using tickets.
Back to Top