django csrf token跨站请求

        html部分：

        <script type="text/javascript" src="../static/js/jquery-1.11.3.js"></script>

<script>
$(document).ready(function(){$("button").click(function(){$.ajax({url: 'http://127.0.0.1:8000/',
type:'get',
dataType: 'json',
beforeSend: function(xhr) { xhr.setRequestHeader('Authorization','TOKEN ' + 'x048b18739ca6c46f8365c258f5'); },
success: function(data, status) {return console.log(data);
}});

});
});
</script>django 安装

django-cors-headers

settings.py 配置

Install by downloading the source and running:

python setup.py install

or

pip install django-cors-headers

and then add it to your installed apps:

INSTALLED_APPS = (...'corsheaders',...
)

You will also need to add a middleware class to listen in on responses:

MIDDLEWARE_CLASSES = (...'corsheaders.middleware.CorsMiddleware','django.middleware.common.CommonMiddleware',...
)

Note that CorsMiddleware needs to come before Django's CommonMiddleware if you are using Django's USE_ETAGS = True setting, otherwise the CORS headers will be lost from the 304 not-modified responses, causing errors in some browsers.

Configuration

Add hosts that are allowed to do cross-site requests to CORS_ORIGIN_WHITELIST or set CORS_ORIGIN_ALLOW_ALL to Trueto allow all hosts.

CORS_ORIGIN_ALLOW_ALL: if True, the whitelist will not be used and all origins will be accepted

Default:CORS_ORIGIN_ALLOW_ALL = False

CORS_ORIGIN_WHITELIST: specify a list of origin hostnames that are authorized to make a cross-site HTTP request

Example:CORS_ORIGIN_WHITELIST = ('google.com','hostname.example.com')Default:CORS_ORIGIN_WHITELIST = ()

CORS_ORIGIN_REGEX_WHITELIST: specify a regex list of origin hostnames that are authorized to make a cross-site HTTP request; Useful when you have a large amount of subdomains for instance.

Example:CORS_ORIGIN_REGEX_WHITELIST = ('^(https?://)?(\w+\.)?google\.com$', )Default:CORS_ORIGIN_REGEX_WHITELIST = ()

---

You may optionally specify these options in settings.py to override the defaults. Defaults are shown below:

CORS_URLS_REGEX: specify a URL regex for which to enable the sending of CORS headers; Useful when you only want to enable CORS for specific URLs, e. g. for a REST API under /api/.

Example:CORS_URLS_REGEX = r'^/api/.*$'Default:CORS_URLS_REGEX = '^.*$'

CORS_ALLOW_METHODS: specify the allowed HTTP methods that can be used when making the actual request

Default:CORS_ALLOW_METHODS = ('GET','POST','PUT','PATCH','DELETE','OPTIONS')

CORS_ALLOW_HEADERS: specify which non-standard HTTP headers can be used when making the actual request

Default:CORS_ALLOW_HEADERS = ('x-requested-with','content-type','accept','origin','authorization','x-csrftoken')

CORS_EXPOSE_HEADERS: specify which HTTP headers are to be exposed to the browser

Default:CORS_EXPOSE_HEADERS = ()

CORS_PREFLIGHT_MAX_AGE: specify the number of seconds a client/browser can cache the preflight response

Note: A preflight request is an extra request that is made when making a "not-so-simple" request (eg. content-type is not application/x-www-form-urlencoded) to determine what requests the server actually accepts. Read more about it here: [http://www.html5rocks.com/en/tutorials/cors/](http://www.html5rocks.com/en/tutorials/cors/)Default:CORS_PREFLIGHT_MAX_AGE = 86400

CORS_ALLOW_CREDENTIALS: specify whether or not cookies are allowed to be included in cross-site HTTP requests (CORS).

Default:CORS_ALLOW_CREDENTIALS = False

CORS_REPLACE_HTTPS_REFERER: specify whether to replace the HTTP_REFERER header if CORS checks pass so that CSRF django middleware checks will work with https

Note: With this feature enabled, you also need to add the corsheaders.middleware.CorsPostCsrfMiddleware after django.middleware.csrf.CsrfViewMiddleware to undo the header replacementDefault:CORS_REPLACE_HTTPS_REFERER = False