- Drop Python 2 support, only Python 3.5-3.7 is supported now.
- Fix all links for move from
- Add a hint to the
corsheaders.E013check to make it more obvious how to resolve it.
- Allow 'null' in
CORS_ORIGIN_WHITELISTnow requires URI schemes, and optionally ports. This is part of the CORS specification (Section 3.2) that was not implemented in this library, except from with the
CORS_ORIGIN_REGEX_WHITELISTsetting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure
http://Origins to a secure
You will need to update your whitelist to include schemes, for example from this:
CORS_ORIGIN_WHITELIST = ['example.com']
CORS_ORIGIN_WHITELIST = ['https://example.com']
CORS_MODELsetting, and associated class. It seems very few, or no users were using it, since there were no bug reports since its move to abstract in version 2.0.0 (2017-01-07). If you are using this functionality, you can continue by changing your model to not inherit from the abstract one, and add a signal handler for
check_request_enabledthat reads from your model. Note you'll need to handle the move to include schemes for Origins.
- Tested on Django 2.2. No changes were needed for compatibility.
- Tested on Python 3.7. No changes were needed for compatibility.
- Improve inclusion of tests in
- Include test infrastructure in
sdistto allow consumers to use it.
- Drop Django 1.8, 1.9, and 1.10 support. Only Django 1.11+ is supported now.
collections.abc.Sequenceon Python 3.7.
- Always add 'Origin' to the 'Vary' header for responses to enabled URL's, to prevent caching of responses intended for one origin being served for another.
request.path, so the patterns can work without knowing the site's path prefix at configuration time.
Content-Lengthheader to CORS preflight requests. This fixes issues with some HTTP proxies and servers, e.g. AWS Elastic Beanstalk.
- Django 2.0 compatibility. Again there were no changes to the actual library code, so previous versions probably work.
- Ensured that
request._cors_enabledis always a
bool()- previously it could be set to a regex match object.
- Django 1.11 compatibility. There were no changes to the actual library code, so previous versions probably work, though they weren't properly tested on 1.11.
- Fix when the check for
CORS_MODELis done to allow it to properly add the headers and respond to
- Add support for specifying 'null' in
- Remove previously undocumented
CorsModelas it was causing migration issues. For backwards compatibility, any users previously using
CorsModelshould create a model in their own app that inherits from the new
AbstractCorsModel, and to keep using the same data, set the model's
db_tableto 'corsheaders_corsmodel'. Users not using
CorsModelwill find they have an unused table that they can drop.
- Make sure that
Access-Control-Allow-Credentialsis in the response if the client asks for it.
- Fix a bug with the single check if CORS enabled added in 1.3.0: on Django
< 1.10 shortcut responses could be generated by middleware above
CorsMiddleware, before it processed the request, failing with an
request._cors_enabled. Also clarified the docs that
CorsMiddlewareshould be kept as high as possible in your middleware stack, above any middleware that can generate such responses.
- Add checks to validate the types of the settings.
- Add the 'Do Not Track' header
'DNT'to the default for
- Add 'Origin' to the 'Vary' header of outgoing requests when not allowing all origins, as per the CORS spec. Note this changes the way HTTP caching works with your CORS-enabled responses.
- Check whether CORS should be enabled on a request only once. This has had a
minor change on the conditions where any custom signals will be called -
signals will now always be called before
HTTP_REFERERgets replaced, whereas before they could be called before and after. Also this attaches the attribute
request- please take care that other code you're running does not remove it.
CorsModel.__str__for human-readable text
- Add a signal that allows you to add code for more intricate control over when CORS headers are added.
- Made settings dynamically respond to changes, and which allows you to import the defaults for headers and methods in order to extend them.
- Drop Python 2.6 support.
- Drop Django 1.3-1.7 support, as they are no longer supported.
- Confirmed Django 1.9 support (no changes outside of tests were necessary).
- Added Django 1.10 support.
- Package as a universal wheel.
- django-cors-header now supports Django 1.8 with its new application loading system! Thanks @jpadilla for making this possible and sorry for the delay in making a release.
django-cors-headers is all grown-up :) Since it's been used in production for many many deployments, I think it's time we mark this as a stable release.
- Switching this middleware versioning over to semantic versioning
- #46 add user-agent and accept-encoding default headers
- #45 pep-8 this big boy up
- Add support for Python 3
- Updated tests
- Improved documentation
- Small bugfixes
- Added an option to selectively enable CORS only for specific URLs
- Added the ability to specify a regex for whitelisting many origin hostnames at once
- Introduced port distinction for origin checking
urlparsefor Python 3 support
- Added testcases to project
- Add support for exposed response headers
- Fixed middleware to ensure correct response for CORS preflight requests
Access-Control-Allow-Credentialscontrol to simple requests
- Bugfix to repair mismatched default variable names
- Refactor/pull defaults into separate file
- Initial release