Do NOT use django-cors-headers.

Do not really helps: it _replaces_ a referer-header,
but doesn't make one up.

1 files changed, 0 insertions, 9 deletions

diff --git a/talerbank/settings.py b/talerbank/settings.py
index 49e4d6b..e8f226d 100644
--- a/talerbank/settings.py
+++ b/talerbank/settings.py
@@ -59,14 +59,12 @@ INSTALLED_APPS = [
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
-    'corsheaders',
     'talerbank.app'
 ]
 
 MIDDLEWARE = [
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
-    'corsheaders.middleware.CorsMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
@@ -203,10 +201,3 @@ TALER_EXPECTS_DONATIONS = [
     'Tor', 'GNUnet', 'Taler', 'FSF']
 TALER_SUGGESTED_EXCHANGE = TC.value_string(
     "bank", "suggested_exchange")
-
-# Make a 'referer' *request header* from a origin one.
-# This is needed when a client disables the 'referer'
-# header from being sent: in this situation, the anti-CSRF
-# layer makes the request invalid!
-
-CORS_REPLACE_HTTPS_REFERER = True