overhangio · kdmccormick · May 8, 2024 · May 8, 2024 · May 8, 2024
diff --git a/changelog.d/20240508_111720_dave_fix_cors_headers.md b/changelog.d/20240508_111720_dave_fix_cors_headers.md
@@ -0,0 +1 @@
+- [Bugfix] Remove CORS_ALLOW_HEADERS setting from the LMS/Studio config template. This setting, which holds site-agnostic application logic, is now consistently set to a reasonable value upstream by LMS and CMS config. Using the upstream values fixes a bug where course import in Studio using the new Course Authoring MFE was broken in Tutor deployments because it required additional headers to be allowed (content-range and content-disposition) (by @ormsbee)
diff --git a/tutor/templates/apps/openedx/settings/partials/common_all.py b/tutor/templates/apps/openedx/settings/partials/common_all.py
@@ -230,7 +230,8 @@
 CORS_ALLOW_CREDENTIALS = True
 CORS_ORIGIN_ALLOW_ALL = False
 CORS_ALLOW_INSECURE = {% if ENABLE_HTTPS %}False{% else %}True{% endif %}
-CORS_ALLOW_HEADERS = corsheaders_default_headers + ('use-jwt-cookie',)
+# Note: CORS_ALLOW_HEADERS is intentionally not defined here, because it should
+# be consistent across deployments, and is therefore set in edx-platform.
 
 # Add your MFE and third-party app domains here
 CORS_ORIGIN_WHITELIST = []
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- [Bugfix] Remove CORS_ALLOW_HEADERS setting from the LMS/Studio config template. This setting, which holds site-agnostic application logic, is now consistently set to a reasonable value upstream by LMS and CMS config. Using the upstream values fixes a bug where course import in Studio using the new Course Authoring MFE was broken in Tutor deployments because it required additional headers to be allowed (content-range and content-disposition) (by @ormsbee)