Suggestions for solving the CORS & CSRF

Hi there,
First of all I’m not sure, but I strongly believe that, we getting CORS problem, due to differences between HOST and URLS.
I’m working to implement some MFE from Open edX, via plugins. I have been faced CORS header problem several times. In my opinion, if we can find solutions for rendering Api URLs, which is different from each other(see DISCOVERY_API_BASE_URL).I believe CORS problem will be solved.
It’s possible to EXPOSE to different PORTS with Plugins/Dockerfile, and Nginx, or .ENV files, but it’s mismatch to applications ORIGIN and URLs, I believe.

Here some examples from Frontend-app-publisher
We are using Tutor 14.0.0 with Nutmeg and we are using this repo

@qali

Having set them CORS_ORIGIN_WHITELIST and CSRF_TRUSTED_ORIGINS usually work for me.

Hi Chintan,
We have installed Tutor Discovery, Ecommerce and Publisher we are getting this error with Publisher please guide us this is our discussion Configure publisher - #7 by BbrSofiane with BrbSofiane please suggest us how we can resolve the error

Hi @Manoj_kumar ,
Sorry I hava no opportunity to make a new plugin for that. But you can check this post

My publisher plugin was running as a subdomain of my platform. That was just test, and was working, after help from Regis.
Discovery plugin was activated, but organizations settings not worked for this plugin.
You must add your publisher plugin host to the white list of LMS and Discovery plugin. ( that was fixed by Regis).
My approach was different. But now Tutor has MFA plugins, which is working without any problems. I suggest you should follow theirs solution.
I hope this can help, and good luck :+1:

Murat (Qali)

thank you @murat-polat for your help

hi @murat-polat
we have already tried that but error not solved please have a look at this please help us and resolve the issue we only want to show dates according to student enrollment in student paced course please guide is there any other way to accomplish that

Can you please paste the content of your .local/share/tutor/env/plugins/discovery/apps/settings/tutor/production.py
file ?

Hi Chintan,
PFA

from …production import *

SECRET_KEY = “REDACTED
ALLOWED_HOSTS = [
“discovery”,
discovery.example.com
]

PLATFORM_NAME = “kupg”

DATABASES = {
“default”: {
“ENGINE”: “django.db.backends.mysql”,
“NAME”: “discovery”,
“USER”: “discovery”,
“PASSWORD”: “REDACTED”,
“HOST”: “mysql”,
“PORT”: “3306”,
“OPTIONS”: {
“init_command”: “SET sql_mode=‘STRICT_TRANS_TABLES’”,
},
}
}

ELASTICSEARCH_DSL[‘default’].update({
‘hosts’: “http://elasticsearch:9200/
})

CACHES = {
“default”: {
“BACKEND”: “django_redis.cache.RedisCache”,
“KEY_PREFIX”: “discovery”,
“LOCATION”: “redis://@redis:6379/1”,
}
}

Some openedx language codes are not standard, such as zh-cn

LANGUAGE_CODE = {
“zh-cn”: “zh-hans”,
“zh-hk”: “zh-hant”,
“zh-tw”: “zh-hant”,
}.get(“en”, “en”)
PARLER_DEFAULT_LANGUAGE_CODE = LANGUAGE_CODE
PARLER_LANGUAGES[1][0][“code”] = LANGUAGE_CODE
PARLER_LANGUAGES[“default”][“fallbacks”] = [PARLER_DEFAULT_LANGUAGE_CODE]

EMAIL_BACKEND = “django.core.mail.backends.smtp.EmailBackend”
EMAIL_HOST = “smtp”
EMAIL_PORT = “8025”
EMAIL_HOST_USER = “”
EMAIL_HOST_PASSWORD = “”
EMAIL_USE_TLS = False

Get rid of the “local” handler

LOGGING[“handlers”].pop(“local”)
for logger in LOGGING[“loggers”].values():
if “local” in logger[“handlers”]:
logger[“handlers”].remove(“local”)

Decrease verbosity of algolia logger

LOGGING[“loggers”][“algoliasearch_django”] = {“level”: “WARNING”}

OAUTH_API_TIMEOUT = 5

import json
JWT_AUTH[“JWT_ISSUER”] = “https://example.com/oauth2
JWT_AUTH[“JWT_AUDIENCE”] = “openedx”
JWT_AUTH[“JWT_SECRET_KEY”] = “REDACTED

TODO assign a discovery-specific public key

JWT_AUTH[“JWT_PUBLIC_SIGNING_JWK_SET”] = json.dumps(
{
“keys”: [
{
“kid”: “openedx”,
“kty”: “RSA”,
“e”: “AQAB”,
“n”: “REDACTED”,
}
]
}
)
JWT_AUTH[“JWT_ISSUERS”] = [
{
“ISSUER”: “https://example.com/oauth2”,
“AUDIENCE”: “openedx”,
“SECRET_KEY”: “REDACTED
}
]

EDX_DRF_EXTENSIONS = {
‘OAUTH2_USER_INFO_URL’: ‘https://example.com/oauth2/user_info’,
}

BACKEND_SERVICE_EDX_OAUTH2_KEY = “discovery”
BACKEND_SERVICE_EDX_OAUTH2_SECRET = “REDACTED
BACKEND_SERVICE_EDX_OAUTH2_PROVIDER_URL = “http://lms:8000/oauth2

SOCIAL_AUTH_EDX_OAUTH2_KEY = “discovery-sso”
SOCIAL_AUTH_EDX_OAUTH2_SECRET = “REDACTED
SOCIAL_AUTH_EDX_OAUTH2_ISSUER = “https://example.com
SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT = SOCIAL_AUTH_EDX_OAUTH2_ISSUER
SOCIAL_AUTH_EDX_OAUTH2_PUBLIC_URL_ROOT = SOCIAL_AUTH_EDX_OAUTH2_ISSUER
SOCIAL_AUTH_EDX_OAUTH2_LOGOUT_URL = SOCIAL_AUTH_EDX_OAUTH2_ISSUER + “/logout”

SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

CORS_ORIGIN_WHITELIST = list(CORS_ORIGIN_WHITELIST) + [“https://apps.example.com”]

CORS_ORIGIN_WHITELIST this field has proper value. Also make sure that the site is infact in https. I had that issue when site was in http.

Haven’t got anything apart from that.

Thank you Chintan have tried but it is not working thank you very much for your precious time