Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update django-cors-headers to 4.3.1 #1252

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update django-cors-headers to 4.3.1 #1252

wants to merge 1 commit into from

Conversation

pyup-bot
Copy link
Collaborator

This PR updates django-cors-headers from 3.0.2 to 4.3.1.

Changelog

4.3.1

------------------

* Fixed ASGI compatibility on Python 3.12.

Thanks to Adrian Capitanu for the report in `Issue 908 <https://github.com/adamchainz/django-cors-headers/issues/908>`__ and Rooyal in `PR #911 <https://github.com/adamchainz/django-cors-headers/pull/911>`__.

4.3.0

------------------

* Avoid adding the ``access-control-allow-credentials`` header to unallowed responses.

Thanks to Adam Romanek in `PR 888 <https://github.com/adamchainz/django-cors-headers/pull/888>`__.

* Support Django 5.0.

4.2.0

------------------

* Drop Python 3.7 support.

4.1.0

------------------

* Support Python 3.12.

4.0.0

------------------

* Add ``CORS_ALLOW_PRIVATE_NETWORK`` setting, which enables support for the Local Network Access draft specification.

Thanks to Issac Kelly in `PR 745 <https://github.com/adamchainz/django-cors-headers/pull/745>`__ and jjurgens0 in `PR #833 <https://github.com/adamchainz/django-cors-headers/pull/833>`__.

* Remove three headers from the default "accept list": ``accept-encoding``, ``dnt``, and ``origin``.
These are `Forbidden header names <https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name>`__, which means requests JavaScript can never set them.
Consequently, allowing them via CORS has no effect.

Thanks to jub0bs for the report in `Issue 842 <https://github.com/adamchainz/django-cors-headers/issues/842>`__.

* Drop the ``CORS_REPLACE_HTTPS_REFERER`` setting and ``CorsPostCsrfMiddleware``.
Since Django 1.9, the ``CSRF_TRUSTED_ORIGINS`` setting has been the preferred solution to making CSRF checks pass for CORS requests.
The removed setting and middleware only existed as a workaround for Django versions before 1.9.

* Add async support to the middleware, reducing overhead on async views.

3.14.0

-------------------

* Support Django 4.2.

* Switch from ``urlparse()`` to ``urlsplit()`` for URL parsing, reducing the middleware runtime up to 5%.
This changes the type passed to ``origin_found_in_white_lists()``, so if you have subclassed the middleware to override this method, you should check it is compatible (it most likely is).

Thanks to Thibaut Decombe in `PR 793 <https://github.com/adamchainz/django-cors-headers/pull/793>`__.

3.13.0

-------------------

* Support Python 3.11.

* Support Django 4.1.

3.12.0

-------------------

* Drop support for Django 2.2, 3.0, and 3.1.

3.11.0

-------------------

* Drop Python 3.6 support.

3.10.1

-------------------

* Prevent a crash when an invalid ``Origin`` header is sent.

Thanks to minusf for the report in `Issue 701 <https://github.com/adamchainz/django-cors-headers/issues/701>`__.

3.10.0

-------------------

* Support Python 3.10.

3.9.0

------------------

* Support Django 4.0.

3.8.0

------------------

* Add type hints.

* Stop distributing tests to reduce package size. Tests are not intended to be
run outside of the tox setup in the repository. Repackagers can use GitHub's
tarballs per tag.

3.7.0

------------------

* Support Django 3.2.

3.6.0

------------------

* Drop Python 3.5 support.
* Support Python 3.9.

3.5.0

------------------

* Following Django’s example in
`Ticket 31670 <https://code.djangoproject.com/ticket/31670>`__ for replacing
the term “whitelist”, plus an aim to make the setting names more
comprehensible, the following settings have been renamed:

* ``CORS_ORIGIN_WHITELIST`` -> ``CORS_ALLOWED_ORIGINS``
* ``CORS_ORIGIN_REGEX_WHITELIST`` -> ``CORS_ALLOWED_ORIGIN_REGEXES``
* ``CORS_ORIGIN_ALLOW_ALL`` -> ``CORS_ALLOW_ALL_ORIGINS``

The old names will continue to work as aliases, with the new ones taking
precedence.

3.4.0

------------------

* Add Django 3.1 support.

3.3.0

------------------

* Drop Django 1.11 support. Only Django 2.0+ is supported now.
* Drop the ``providing_args`` argument from ``Signal`` to prevent a deprecation
warning on Django 3.1.

3.2.1

------------------

* Update LICENSE file to Unix line endings, fixing issues with license checker
``pip-licenses`` (`Issue
477 <https://github.com/adamchainz/django-cors-headers/issues/477>`__).

3.2.0

------------------

* Converted setuptools metadata to configuration file. This meant removing the
``__version__`` attribute from the package. If you want to inspect the
installed version, use
``importlib.metadata.version("django-cors-headers")``
(`docs <https://docs.python.org/3.8/library/importlib.metadata.html#distribution-versions>`__ /
`backport <https://pypi.org/project/importlib-metadata/>`__).
* Support Python 3.8.

3.1.1

------------------

* Support the value `file://` for origins, which is accidentally sent by some
versions of Chrome on Android.

3.1.0

------------------

* Drop Python 2 support, only Python 3.5-3.7 is supported now.
* Fix all links for move from ``github.com/ottoyiu/django-cors-headers`` to
``github.com/adamchainz/django-cors-headers``.
Links

@pyup-bot pyup-bot mentioned this pull request Nov 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@pyup-bot