Switch from
urlparse()
tourlsplit()
for URL parsing, reducing the middleware runtime up to 5%. This changes the type passed toorigin_found_in_white_lists()
, so if you have subclassed the middleware to override this method, you should check it is compatible (it most likely is).Thanks to Thibaut Decombe in PR #793.
- Support Python 3.11.
- Support Django 4.1.
- Drop support for Django 2.2, 3.0, and 3.1.
- Drop Python 3.6 support.
Prevent a crash when an invalid
Origin
header is sent.Thanks to minusf for the report in Issue #701.
- Support Python 3.10.
- Support Django 4.0.
- Add type hints.
- Stop distributing tests to reduce package size. Tests are not intended to be run outside of the tox setup in the repository. Repackagers can use GitHub's tarballs per tag.
- Support Django 3.2.
- Drop Python 3.5 support.
- Support Python 3.9.
Following Django’s example in Ticket #31670 for replacing the term “whitelist”, plus an aim to make the setting names more comprehensible, the following settings have been renamed:
CORS_ORIGIN_WHITELIST
->CORS_ALLOWED_ORIGINS
CORS_ORIGIN_REGEX_WHITELIST
->CORS_ALLOWED_ORIGIN_REGEXES
CORS_ORIGIN_ALLOW_ALL
->CORS_ALLOW_ALL_ORIGINS
The old names will continue to work as aliases, with the new ones taking precedence.
- Drop Django 2.0 and 2.1 support.
- Add Django 3.1 support.
- Drop Django 1.11 support. Only Django 2.0+ is supported now.
- Drop the
providing_args
argument fromSignal
to prevent a deprecation warning on Django 3.1.
- Update LICENSE file to Unix line endings, fixing issues with license checker
pip-licenses
(Issue #477).
- Converted setuptools metadata to configuration file. This meant removing the
__version__
attribute from the package. If you want to inspect the installed version, useimportlib.metadata.version("django-cors-headers")
(docs / backport). - Support Python 3.8.
- Support the value file:// for origins, which is accidentally sent by some versions of Chrome on Android.
- Drop Python 2 support, only Python 3.5-3.7 is supported now.
- Fix all links for move from
github.com/ottoyiu/django-cors-headers
github.com/adamchainz/django-cors-headers
.
- Add a hint to the
corsheaders.E013
check to make it more obvious how to resolve it.
- Allow 'null' in
CORS_ORIGIN_WHITELIST
check.
CORS_ORIGIN_WHITELIST
now requires URI schemes, and optionally ports. This is part of the CORS specification (Section 3.2) that was not implemented in this library, except from with theCORS_ORIGIN_REGEX_WHITELIST
setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecurehttp://
Origins to a securehttps://
site.You will need to update your whitelist to include schemes, for example from this:
CORS_ORIGIN_WHITELIST = ["example.com"]
...to this:
CORS_ORIGIN_WHITELIST = ["https://example.com"]
Removed the
CORS_MODEL
setting, and associated class. It seems very few, or no users were using it, since there were no bug reports since its move to abstract in version 2.0.0 (2017-01-07). If you are using this functionality, you can continue by changing your model to not inherit from the abstract one, and add a signal handler forcheck_request_enabled
that reads from your model. Note you'll need to handle the move to include schemes for Origins.
- Tested on Django 2.2. No changes were needed for compatibility.
- Tested on Python 3.7. No changes were needed for compatibility.
- Improve inclusion of tests in
sdist
to ignore.pyc
files.
- Include test infrastructure in
sdist
to allow consumers to use it.
- Drop Django 1.8, 1.9, and 1.10 support. Only Django 1.11+ is supported now.
- Fix
DeprecationWarning
from importingcollections.abc.Sequence
on Python 3.7.
- Always add 'Origin' to the 'Vary' header for responses to enabled URL's, to prevent caching of responses intended for one origin being served for another.
- Match
CORS_URLS_REGEX
torequest.path_info
instead ofrequest.path
, so the patterns can work without knowing the site's path prefix at configuration time.
- Add
Content-Length
header to CORS preflight requests. This fixes issues with some HTTP proxies and servers, e.g. AWS Elastic Beanstalk.
- Django 2.0 compatibility. Again there were no changes to the actual library code, so previous versions probably work.
- Ensured that
request._cors_enabled
is always abool()
- previously it could be set to a regex match object.
- Django 1.11 compatibility. There were no changes to the actual library code, so previous versions probably work, though they weren't properly tested on 1.11.
- Fix when the check for
CORS_MODEL
is done to allow it to properly add the headers and respond toOPTIONS
requests.
- Add support for specifying 'null' in
CORS_ORIGIN_WHITELIST
.
- Remove previously undocumented
CorsModel
as it was causing migration issues. For backwards compatibility, any users previously usingCorsModel
should create a model in their own app that inherits from the newAbstractCorsModel
, and to keep using the same data, set the model'sdb_table
to 'corsheaders_corsmodel'. Users not usingCorsModel
will find they have an unused table that they can drop. - Make sure that
Access-Control-Allow-Credentials
is in the response if the client asks for it.
- Fix a bug with the single check if CORS enabled added in 1.3.0: on Django
< 1.10 shortcut responses could be generated by middleware above
CorsMiddleware
, before it processed the request, failing with anAttributeError
forrequest._cors_enabled
. Also clarified the docs thatCorsMiddleware
should be kept as high as possible in your middleware stack, above any middleware that can generate such responses.
- Add checks to validate the types of the settings.
- Add the 'Do Not Track' header
'DNT'
to the default forCORS_ALLOW_HEADERS
. - Add 'Origin' to the 'Vary' header of outgoing requests when not allowing all origins, as per the CORS spec. Note this changes the way HTTP caching works with your CORS-enabled responses.
- Check whether CORS should be enabled on a request only once. This has had a
minor change on the conditions where any custom signals will be called -
signals will now always be called before
HTTP_REFERER
gets replaced, whereas before they could be called before and after. Also this attaches the attribute_cors_enabled
torequest
- please take care that other code you're running does not remove it.
- Add
CorsModel.__str__
for human-readable text - Add a signal that allows you to add code for more intricate control over when CORS headers are added.
- Made settings dynamically respond to changes, and which allows you to import the defaults for headers and methods in order to extend them.
- Drop Python 2.6 support.
- Drop Django 1.3-1.7 support, as they are no longer supported.
- Confirmed Django 1.9 support (no changes outside of tests were necessary).
- Added Django 1.10 support.
- Package as a universal wheel.
- django-cors-header now supports Django 1.8 with its new application loading system! Thanks @jpadilla for making this possible and sorry for the delay in making a release.
django-cors-headers is all grown-up :) Since it's been used in production for many many deployments, I think it's time we mark this as a stable release.
- Switching this middleware versioning over to semantic versioning
- #46 add user-agent and accept-encoding default headers
- #45 pep-8 this big boy up
- Add support for Python 3
- Updated tests
- Improved documentation
- Small bugfixes
- Added an option to selectively enable CORS only for specific URLs
0.11 (2013-09-24)
- Added the ability to specify a regex for whitelisting many origin hostnames at once
- Introduced port distinction for origin checking
- Use
urlparse
for Python 3 support - Added testcases to project
- Add support for exposed response headers
- Fixed middleware to ensure correct response for CORS preflight requests
- Add
Access-Control-Allow-Credentials
control to simple requests
- Bugfix to repair mismatched default variable names
- Refactor/pull defaults into separate file
- Initial release