[Django] #35805: CSRF errors when using custom domains but not when using azure default domain

[Django]

#35805: CSRF errors when using custom domains but not when using azure default
domain
-------------------------------------+-------------------------------------
     Reporter:  Dan Martinez         |                     Type:  Bug
       Status:  new                  |                Component:  CSRF
      Version:  5.0                  |                 Severity:  Normal
     Keywords:  CSRF custom-domain   |             Triage Stage:
  CORS azure                         |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 Deployed as web app in Azure and added my custom purchased (namecheap.com)
 domain name, lets call it 'i-heart-java.com'. I added the custom domain
 URL into the ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS lists, both as https
 and http, including with extra 'www.' entries. App pulls up successfully
 on those URL's and my page works for the most part, except when logging
 into any part of the app VIA MY CUSTOM DOMAIN, otherwise login works fine
 with the azure default domain. Error shows:


 {{{
 2024-09-24T14:24:35.1649753Z Forbidden (Origin checking failed -
 https://www.mydomain.com does not match any trusted origins.):
 /admin/login/
 }}}


 Followed the documentation and have searched this issue to find I am (so
 far) the only one encountering it. My Settings file details are below and
 I have tried to mix and match these related Booleans with no luck:

 {{{
 ALLOWED_HOSTS = [
     'https://127.0.0.1:8000',
     '127.0.0.1',
     'https://mydomain-XXX.eastus-0X.azurewebsites.net/,  # <- Azure
 default domain (logins work with no csrf errors here)
     "http://mydomain.com";,
     'https://mydomain.com',
     "http://www.mydomain.com";,
     'https://www.mydomain.com,
     ..others..,
 ]

 SESSION_COOKIE_SECURE = True
 SECURE_SSL_REDIRECT = False
 CORS_ALLOW_ALL_ORIGINS = True
 CSRF_COOKIE_SECURE      = True
 CSRF_COOKIE_HTTPONLY    = True
 CSRF_USE_SESSIONS       = True
 SESSION_COOKIE_DOMAIN = '.charotte100.com'
 SESSION_COOKIE_SECURE = True

 CSRF_TRUSTED_ORIGINS=[
     "https://mydomain.com";,
     "http://mydomain.com";,
     "https://www.mydomain.com";,
     "http://www.mydomain.com";,
     ..others..,
 ]
 }}}


 I am not using any reverse proxy like Nginx and have the bog standard CSRF
 middle ware installed and am running via the standard gunicorn app
 command. Can anyone shed any light on whether this is a possible Django
 issue or if my configuration is correct or if this is possibly a custom
 domain DNS issue?
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35805>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701923a966fd5-11b4fd17-b41f-4bac-b56c-373c256a2d70-000000%40eu-central-1.amazonses.com.