Experimental: set CSRF trusted origins

Readme.md

@@ -88,6 +88,7 @@ next steps below
 
    INVENTORY_SECRET_KEY=
    INVENTORY_EXTERNAL_URL=http://localhost:8000
+   INVENTORY_TRUSTED_ORIGINS=localhost:8000
    INVENTORY_DEBUG=FALSE
 
    INVENTORY_LANGUAGE=en-us

default.env

@@ -4,6 +4,11 @@ INVENTORY_SECRET_KEY=""
 # override with URL the service will be available under
 INVENTORY_EXTERNAL_URL="https://inventory.example.com"
 
+# override with URLs that are used to send POST requests here,
+# the EXTERNAL_URL will be in there already, http and https
+# will be added automatically, separate multiple origins with commas
+INVENTORY_TRUSTED_ORIGINS="localhost"
+
 # keep this to FALSE for deployments
 INVENTORY_DEBUG="FALSE"
 

inventory_project/settings.py

@@ -45,6 +45,15 @@ ALLOWED_HOSTS: list[str] = [
     socket.gethostbyname('localhost')
 ]
 
+CSRF_TRUSTED_ORIGINS: list[str] = [
+    *[
+        f'{prot}://{host}'
+        for host in os.environ.get("INVENTORY_TRUSTED_ORIGINS", "localhost").split(',')
+        for prot in ('http', 'https')
+    ],
+    f'{SERVER_URL}}'
+]
+
 # Application definition
 
 INSTALLED_APPS = [