diff --git a/changelog.d/20240508_111720_dave_fix_cors_headers.md b/changelog.d/20240508_111720_dave_fix_cors_headers.md new file mode 100644 index 0000000..5af383e --- /dev/null +++ b/changelog.d/20240508_111720_dave_fix_cors_headers.md @@ -0,0 +1 @@ +- [Bugfix] Remove CORS_ALLOW_HEADERS setting from the LMS/Studio config template. This setting, which holds site-agnostic application logic, is now consistently set to a reasonable value upstream by LMS and CMS config. Using the upstream values fixes a bug where course import in Studio using the new Course Authoring MFE was broken in Tutor deployments because it required additional headers to be allowed (content-range and content-disposition) (by @ormsbee) diff --git a/tutor/templates/apps/openedx/settings/partials/common_all.py b/tutor/templates/apps/openedx/settings/partials/common_all.py index 9113c62..c317f4c 100644 --- a/tutor/templates/apps/openedx/settings/partials/common_all.py +++ b/tutor/templates/apps/openedx/settings/partials/common_all.py @@ -230,7 +230,8 @@ FEATURES["ENABLE_CORS_HEADERS"] = True CORS_ALLOW_CREDENTIALS = True CORS_ORIGIN_ALLOW_ALL = False CORS_ALLOW_INSECURE = {% if ENABLE_HTTPS %}False{% else %}True{% endif %} -CORS_ALLOW_HEADERS = corsheaders_default_headers + ('use-jwt-cookie',) +# Note: CORS_ALLOW_HEADERS is intentionally not defined here, because it should +# be consistent across deployments, and is therefore set in edx-platform. # Add your MFE and third-party app domains here CORS_ORIGIN_WHITELIST = []