Refs feedback:

- fix requirements.txt
- change static CORS regex into configurable tuple list

paperless.conf.example

@@ -89,6 +89,11 @@ PAPERLESS_EMAIL_SECRET=""
 # as is "example.com,www.example.com", but NOT " example.com" or "example.com,"
 #PAPERLESS_ALLOWED_HOSTS="example.com,www.example.com"
 
+# If you decide to use Paperless APIs in an ajax calls, you need to add your
+# servers to the allowed hosts that can do CORS calls. By default Paperless allows 
+# calls from localhost:8080. The same rules as above how the list should look like.
+#PAPERLESS_CORS_ALLOWED_HOSTS="localhost:8080,example.com,localhost:8000"
+
 # To host paperless under a subpath url like example.com/paperless you set
 # this value to /paperless. No trailing slash!
 #

requirements.txt

@@ -5,7 +5,7 @@ chardet==3.0.4
 coverage==4.5.1
 coveralls==1.3.0
 dateparser==0.7.0
-django-cors-headers=2.4.0
+django-cors-headers==2.4.0
 django-crispy-forms==1.7.2
 django-extensions==2.0.7
 django-filter==1.1.0

src/paperless/settings.py

@@ -94,8 +94,12 @@ MIDDLEWARE_CLASSES = [
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 ]
 
-# We allow CORS from localhosts
-CORS_ORIGIN_REGEX_WHITELIST = (r'^(https?:\/\/)?localhost(:[0-9]{4})?$', )
+# We allow CORS from localhost:8080
+CORS_ORIGIN_WHITELIST = ("localhost:8080")
+_allowed_cors_hosts = os.getenv("PAPERLESS_CORS_ALLOWED_HOSTS")
+if _allowed_cors_hosts:
+    CORS_ORIGIN_WHITELIST = tuple(_allowed_cors_hosts.split(","))
+
 
 # If auth is disabled, we just use our "bypass" authentication middleware
 if bool(os.getenv("PAPERLESS_DISABLE_LOGIN", "false").lower() in ("yes", "y", "1", "t", "true")):