About three months ago, I upgraded our old Django and CMS application to the (then) latest LTS versions (4.2.3 for Django, 3.11.3 for django-cms). After the upgrade, I got the following error when I tried to edit anything from the CMS toolbar or the CMS plugins after a successful login:
SecurityError: Blocked a frame with origin "http://localhost:8000" from accessing a cross-origin frame.
A short Google search later I was able to fix the issue by setting the CSRF_TRUSTED_ORIGINS in settings.py (depending on the environment).
This worked like a charm until a few weeks ago, when suddenly the same error appeared again. This happens on all our environments - including local - despite the fact that nothing new was deployed since the beginning of July '23.
First, I tried everything in this guide: https://noumenal.es/notes/til/django/csrf-trusted-origins/
Our staging and production django app is behind a proxy, so I verified that HttpRequest.is_secure() returns True and the X-Forwarded-Proto header is set to https in the production environment. But this happens also on my local machine, where there is no HTTPS. I also verified that the CSRF cookie value and the CSRF token param in requests are, in fact, the same.
Then I tried to install the django-cors-headers module and set the CORS_ALLOWED_ORIGINS, but no luck there.
For local dev, I have these settings:
ALLOWED_HOSTS = ['localhost']
CSRF_TRUSTED_ORIGINS = ['http://localhost:8000']
CORS_ALLOWED_ORIGINS = ['http://localhost:8000']
The logs don't say anything at all about this matter.
Is there any other reason than a misconfiguration of CSRF_TRUSTED_ORIGINS why this message suddenly shows up?
Depending on what version you were upgrading from, you may have missed a bit in the upgrade notes, what's new in 3.7.2.
This option is also available on each page within the CMS, located in the advanced settings. Allowing you to override the default in your settings file.