From 170f0a1aabe9b73c6968486911d5888ec4b16860 Mon Sep 17 00:00:00 2001
From: Hironsan <hiroki.nakayama.py@gmail.com>
Date: Fri, 2 Dec 2022 11:39:37 +0900
Subject: [PATCH 1/2] Enable to set CSRF_TRUSTED_ORIGINS in debug mode

---
 backend/config/settings/base.py        | 5 +++--
 backend/config/settings/development.py | 2 --
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/backend/config/settings/base.py b/backend/config/settings/base.py
index d3b7d78e..84509b2f 100644
--- a/backend/config/settings/base.py
+++ b/backend/config/settings/base.py
@@ -230,8 +230,9 @@ CSRF_TRUSTED_ORIGINS = env.list("CSRF_TRUSTED_ORIGINS", [])
 ALLOWED_HOSTS = ["*"]
 
 if DEBUG:
-    CORS_ORIGIN_WHITELIST = ("http://127.0.0.1:3000", "http://0.0.0.0:3000", "http://localhost:3000")
-    CSRF_TRUSTED_ORIGINS = CORS_ORIGIN_WHITELIST
+    CORS_ORIGIN_ALLOW_ALL = True
+    CSRF_TRUSTED_ORIGINS = ["http://127.0.0.1:3000", "http://0.0.0.0:3000", "http://localhost:3000"]
+    CSRF_TRUSTED_ORIGINS += env.list("CSRF_TRUSTED_ORIGINS", [])
 
 # Batch size for importing data
 IMPORT_BATCH_SIZE = env.int("IMPORT_BATCH_SIZE", 1000)
diff --git a/backend/config/settings/development.py b/backend/config/settings/development.py
index 64b9ace5..297c5ea2 100644
--- a/backend/config/settings/development.py
+++ b/backend/config/settings/development.py
@@ -1,8 +1,6 @@
 from .base import *  # noqa: F403
 
 MIDDLEWARE.append("api.middleware.RangesMiddleware")  # noqa: F405
-CORS_ORIGIN_WHITELIST = ("http://127.0.0.1:3000", "http://0.0.0.0:3000", "http://localhost:3000")
-CSRF_TRUSTED_ORIGINS = CORS_ORIGIN_WHITELIST
 # LOGGING = {
 #     'version': 1,
 #     'handlers': {

From 494aef78237a1b99bcc6b7e78d9d21f92b3c1e85 Mon Sep 17 00:00:00 2001
From: Hironsan <hiroki.nakayama.py@gmail.com>
Date: Fri, 2 Dec 2022 14:12:02 +0900
Subject: [PATCH 2/2] Describe how to handle CSRF failed

---
 docs/faq.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/faq.md b/docs/faq.md
index 9f6349e1..f0657ca6 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -108,3 +108,16 @@ doccano uses JSONField on SQLite. So you need to enable the JSON1 extension on P
 If you have this problem, please try the following:
 
 - [Enabling JSON1 extension on SQLite](https://code.djangoproject.com/wiki/JSON1Extension)
+
+## CSRF failed
+
+If you have this problem, please set `CSRF_TRUSTED_ORIGINS` environment variable to your domain name. For example, if your domain name is `example.com`, please set `CSRF_TRUSTED_ORIGINS=example.com`. In the debug mode, the default value is `http://127.0.0.1:3000`, `http://0.0.0.0:3000`, and `http://localhost:3000`. If you are using Docker Compose, please set `CSRF_TRUSTED_ORIGINS` in `docker-compose.prod.yml`:
+
+```yaml
+backend:
+    image: doccano/doccano:backend
+    environment:
+      ...
+      DJANGO_SETTINGS_MODULE: "config.settings.production"
+      CSRF_TRUSTED_ORIGINS: "http://192.168.10.3:3000"
+```