simplified cors setup

misago/conf/defaults.py

@@ -103,7 +103,6 @@ INSTALLED_APPS = (
     'crispy_forms',
     'mptt',
     'rest_framework',
-    'corsheaders',
     'misago.admin',
     'misago.acl',
     'misago.core',
@@ -124,7 +123,6 @@ MIDDLEWARE_CLASSES = (
     'misago.core.middleware.preloademberdata.PreloadEmberDataMiddleware',
     'misago.conf.middleware.PreloadConfigMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
-    'corsheaders.middleware.CorsMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',

misago/emberapp/app/index.html

@@ -31,8 +31,8 @@
       <input type="submit" id="signin-button" value="Log out">
     </form>
 
-    <script src="http://localhost:8000/django-i18n.js"></script>
-    <script src="http://localhost:8000/misago-preload-data.js"></script>
+    <script src="django-i18n.js"></script>
+    <script src="misago-preload-data.js"></script>
 
     <script>
       MisagoData.staticUrl = '';

misago/emberapp/config/environment.js

@@ -15,9 +15,9 @@ module.exports = function(environment) {
 
     contentSecurityPolicy: {
       'default-src': "'none'",
-      'script-src': "'self' 'unsafe-inline' 'unsafe-eval' https://cdn.mxpnl.com http://localhost:8000", // Allow scripts from https://cdn.mxpnl.com and Django runserver
+      'script-src': "'self' 'unsafe-inline' 'unsafe-eval' https://cdn.mxpnl.com", // Allow scripts from https://cdn.mxpnl.com
       'font-src': "'self' http://fonts.gstatic.com", // Allow fonts to be loaded from http://fonts.gstatic.com
-      'connect-src': "'self' https://api.mixpanel.com http://localhost:8000", // Allow data (ajax/websocket) from api.mixpanel.com, custom-api.local and Django runserver
+      'connect-src': "'self' https://api.mixpanel.com", // Allow data (ajax/websocket) from api.mixpanel.com, custom-api.local
       'img-src': "'self'",
       'style-src': "'self' 'unsafe-inline' http://fonts.googleapis.com", // Allow inline styles and loaded CSS from http://fonts.googleapis.com
       'media-src': "'self'"
@@ -76,15 +76,6 @@ module.exports = function(environment) {
 
   if (environment === 'production') {
     ENV.locationType = 'django-location';
-    ENV.contentSecurityPolicy = {
-      'default-src': "'none'",
-      'script-src': "'self' 'unsafe-inline' 'unsafe-eval' https://cdn.mxpnl.com", // Allow scripts from https://cdn.mxpnl.com and Django runserver
-      'font-src': "'self' http://fonts.gstatic.com", // Allow fonts to be loaded from http://fonts.gstatic.com
-      'connect-src': "'self' https://api.mixpanel.com", // Allow data (ajax/websocket) from api.mixpanel.com, custom-api.local and Django runserver
-      'img-src': "'self'",
-      'style-src': "'self' 'unsafe-inline' http://fonts.googleapis.com", // Allow inline styles and loaded CSS from http://fonts.googleapis.com
-      'media-src': "'self'"
-    };
   }
 
   return ENV;

misago/project_template/project_name/settings.py

@@ -25,15 +25,11 @@ DEBUG = True
 
 TEMPLATE_DEBUG = DEBUG
 
-# Hosts allowed to reach your site
+# Hosts allowed to POST to your site
+# If you are unsure, just enter here your host name, eg. 'mysite.com'
 
 ALLOWED_HOSTS = []
 
-# Cross-Origin Resource Sharing policy
-
-CORS_ORIGIN_ALLOW_ALL = DEBUG
-CORS_ORIGIN_WHITELIST = ()
-
 
 # Database
 # https://docs.djangoproject.com/en/{{ docs_version }}/ref/settings/#databases

misago/project_template/requirements.txt

@@ -3,7 +3,6 @@ djangorestframework==3.0.2
 beautifulsoup4==4.3.2
 bleach==1.4.1
 django-debug-toolbar==1.2.1
-django-cors-headers==1.0.0
 django-crispy-forms==1.4.0
 django-hbs-makemessages==0.9.6
 django-htmlmin==0.7