From 7bc1567fb3d8867c58042f885be5955783e739cd Mon Sep 17 00:00:00 2001
From: jiayuan929 <252461528@qq.com>
Date: Tue, 10 Dec 2024 16:45:59 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20django4.x=20?=
 =?UTF-8?q?=E5=9C=A8=20HTTPS=20=E4=B8=8B=E5=87=BA=E7=8E=B0=E7=9A=84=20CSRF?=
 =?UTF-8?q?=20=E9=97=AE=E9=A2=98=20(#1794)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apiserver/paasng/paasng/settings/__init__.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/apiserver/paasng/paasng/settings/__init__.py b/apiserver/paasng/paasng/settings/__init__.py
index e839c79bbe..5167ef7dbd 100644
--- a/apiserver/paasng/paasng/settings/__init__.py
+++ b/apiserver/paasng/paasng/settings/__init__.py
@@ -574,6 +574,14 @@ def _build_file_handler(log_path: Path, filename: str, format: str) -> Dict:
 FORCE_SCRIPT_NAME = settings.get("FORCE_SCRIPT_NAME")
 CSRF_COOKIE_DOMAIN = settings.get("CSRF_COOKIE_DOMAIN")
 SESSION_COOKIE_DOMAIN = settings.get("SESSION_COOKIE_DOMAIN")
+# Django 4.0 会参考 Origin Header，如果使用了 CSRF_COOKIE_NAME，就需要在 settings 中额外配置 CSRF_TRUSTED_ORIGINS
+# 且必须配置协议和域名
+# https://docs.djangoproject.com/en/dev/releases/4.0/#format-change
+BK_COOKIE_DOMAIN = settings.get("BK_COOKIE_DOMAIN")
+# 正式环境 CSRF_COOKIE_DOMAIN 并未设置，所以默认值直接用通配符
+CSRF_TRUSTED_ORIGINS = settings.get(
+    "CSRF_TRUSTED_ORIGINS", [f"http://*{BK_COOKIE_DOMAIN}", f"https://*{BK_COOKIE_DOMAIN}"]
+)
 
 # 蓝鲸登录票据在 Cookie 中的名称，权限中心 API 未接入 APIGW，访问时需要提供登录态信息
 BK_COOKIE_NAME = settings.get("BK_COOKIE_NAME", "bk_token")