From c3d35af807f2203dd9ea59856439e7621d432b23 Mon Sep 17 00:00:00 2001 From: David Ormsbee Date: Wed, 8 May 2024 16:31:02 -0400 Subject: [PATCH] fix: allow course import from Course Authoring MFE (#1063) Remove CORS_ALLOW_HEADERS setting from the LMS/Studio config template. This setting, which holds site-agnostic application logic, is now consistently set to a reasonable value upstream by LMS and CMS config. Using the upstream values fixes a bug where course import in Studio using the new Course Authoring MFE was broken in Tutor deployments because it required additional headers to be allowed (content-range and content-disposition) Co-authored-by: Kyle McCormick --- changelog.d/20240508_111720_dave_fix_cors_headers.md | 1 + tutor/templates/apps/openedx/settings/partials/common_all.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 changelog.d/20240508_111720_dave_fix_cors_headers.md diff --git a/changelog.d/20240508_111720_dave_fix_cors_headers.md b/changelog.d/20240508_111720_dave_fix_cors_headers.md new file mode 100644 index 0000000000..5af383eb36 --- /dev/null +++ b/changelog.d/20240508_111720_dave_fix_cors_headers.md @@ -0,0 +1 @@ +- [Bugfix] Remove CORS_ALLOW_HEADERS setting from the LMS/Studio config template. This setting, which holds site-agnostic application logic, is now consistently set to a reasonable value upstream by LMS and CMS config. Using the upstream values fixes a bug where course import in Studio using the new Course Authoring MFE was broken in Tutor deployments because it required additional headers to be allowed (content-range and content-disposition) (by @ormsbee) diff --git a/tutor/templates/apps/openedx/settings/partials/common_all.py b/tutor/templates/apps/openedx/settings/partials/common_all.py index 9113c62dfe..c317f4c06f 100644 --- a/tutor/templates/apps/openedx/settings/partials/common_all.py +++ b/tutor/templates/apps/openedx/settings/partials/common_all.py @@ -230,7 +230,8 @@ CORS_ALLOW_CREDENTIALS = True CORS_ORIGIN_ALLOW_ALL = False CORS_ALLOW_INSECURE = {% if ENABLE_HTTPS %}False{% else %}True{% endif %} -CORS_ALLOW_HEADERS = corsheaders_default_headers + ('use-jwt-cookie',) +# Note: CORS_ALLOW_HEADERS is intentionally not defined here, because it should +# be consistent across deployments, and is therefore set in edx-platform. # Add your MFE and third-party app domains here CORS_ORIGIN_WHITELIST = []