From b32cefe762dee6b15306d4519fb7ab475985aa35 Mon Sep 17 00:00:00 2001
From: Danielle McLean <dani@00dani.me>
Date: Wed, 9 May 2018 01:29:30 +1000
Subject: [PATCH] Ban CORS requests to the siteadmin and to the auth forms,
 just in case

---
 lemoncurry/settings/base.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lemoncurry/settings/base.py b/lemoncurry/settings/base.py
index 92ae6b2..73c11e3 100644
--- a/lemoncurry/settings/base.py
+++ b/lemoncurry/settings/base.py
@@ -235,6 +235,7 @@ AGENT_COOKIE_SECURE = True
 
 # django-cors-headers
 CORS_ORIGIN_ALLOW_ALL = True
+CORS_URLS_REGEX = r'^/(?!admin|auth/(?:login|logout|indie)).*$'
 
 # django-debug-toolbar
 # https://django-debug-toolbar.readthedocs.io/en/stable/configuration.html