Allow for a null origin (file URL) in the whitelist

[jrsupplee]

This patch allows for a straight-forward way of adding a file based URL (null origin) to the whitelist

[ericholscher]

Is null specified somewhere as a standard way of representing file:// URL's?

[jrsupplee]

If you do a cross origin request from a file URL you can see that the header value Origin is set equal to "null". Seems to me I have seen it in the specs too.

[jrsupplee]

Can't find it in any specs. Maybe I missed it. There is a lot of stackoverflow stuff that talks about null origin for file URLs. Chrome and Firefox both set the header Origin value to null when the page is loaded from a file URL.

[jrsupplee]

I have been thinking about this and the way the origin whitelist is implemented is not optimal. It is not actually a list of origins, but rather a list of origins stripped of their protocols. Maybe origin_not_found_in_white_lists should be changed to allow protocols by comparing the whitelists against the actual origin header value as well as the protocol stripped URL.

def origin_not_found_in_white_lists(self, origin, url):
    return (
        url.netloc not in settings.CORS_ORIGIN_WHITELIST and
        origin not in settings.CORS_ORIGIN_WHITELIST and
        not self.regex_domain_match(origin)
    )

This would allow whitelist entries that include protocols. So you could accept https://some.domain.com and reject http://some.domain.com. It also allows for the null origin without my proposed hack.

[adamchainz]

N.B. in upstream PR ottoyiu/django-cors-headers#101 I decided not to add this since I couldn't find good information that setting Origin to 'null' for file:// urls is actually standard, and also it can be added with a custom signal handler anyway.