1=======
2History
3=======
4
53.10.1 (2021-12-05)
6-------------------
7
8* Prevent a crash when an invalid ``Origin`` header is sent.
9
10  Thanks to minusf for the report in `Issue #701 <https://github.com/adamchainz/django-cors-headers/issues/701>`__.
11
123.10.0 (2021-10-05)
13-------------------
14
15* Support Python 3.10.
16
173.9.0 (2021-09-28)
18------------------
19
20* Support Django 4.0.
21
223.8.0 (2021-08-15)
23------------------
24
25* Add type hints.
26
27* Stop distributing tests to reduce package size. Tests are not intended to be
28  run outside of the tox setup in the repository. Repackagers can use GitHub's
29  tarballs per tag.
30
313.7.0 (2021-01-25)
32------------------
33
34* Support Django 3.2.
35
363.6.0 (2020-12-13)
37------------------
38
39* Drop Python 3.5 support.
40* Support Python 3.9.
41
423.5.0 (2020-08-25)
43------------------
44
45* Following Django’s example in
46  `Ticket #31670 <https://code.djangoproject.com/ticket/31670>`__ for replacing
47  the term “whitelist”, plus an aim to make the setting names more
48  comprehensible, the following settings have been renamed:
49
50  * ``CORS_ORIGIN_WHITELIST`` -> ``CORS_ALLOWED_ORIGINS``
51  * ``CORS_ORIGIN_REGEX_WHITELIST`` -> ``CORS_ALLOWED_ORIGIN_REGEXES``
52  * ``CORS_ORIGIN_ALLOW_ALL`` -> ``CORS_ALLOW_ALL_ORIGINS``
53
54  The old names will continue to work as aliases, with the new ones taking
55  precedence.
56
573.4.0 (2020-06-19)
58------------------
59
60* Drop Django 2.0 and 2.1 support.
61
623.4.0 (2020-06-15)
63------------------
64
65* Add Django 3.1 support.
66
673.3.0 (2020-05-18)
68------------------
69
70* Drop Django 1.11 support. Only Django 2.0+ is supported now.
71* Drop the ``providing_args`` argument from ``Signal`` to prevent a deprecation
72  warning on Django 3.1.
73
743.2.1 (2020-01-04)
75------------------
76
77* Update LICENSE file to Unix line endings, fixing issues with license checker
78  ``pip-licenses`` (`Issue
79  #477 <https://github.com/adamchainz/django-cors-headers/issues/477>`__).
80
813.2.0 (2019-11-15)
82------------------
83
84* Converted setuptools metadata to configuration file. This meant removing the
85  ``__version__`` attribute from the package. If you want to inspect the
86  installed version, use
87  ``importlib.metadata.version("django-cors-headers")``
88  (`docs <https://docs.python.org/3.8/library/importlib.metadata.html#distribution-versions>`__ /
89  `backport <https://pypi.org/project/importlib-metadata/>`__).
90* Support Python 3.8.
91
923.1.1 (2019-09-30)
93------------------
94
95* Support the value `file://` for origins, which is accidentally sent by some
96  versions of Chrome on Android.
97
983.1.0 (2019-08-13)
99------------------
100
101* Drop Python 2 support, only Python 3.5-3.7 is supported now.
102* Fix all links for move from ``github.com/ottoyiu/django-cors-headers`` to
103  ``github.com/adamchainz/django-cors-headers``.
104
1053.0.2 (2019-05-28)
106------------------
107
108* Add a hint to the ``corsheaders.E013`` check to make it more obvious how to
109  resolve it.
110
1113.0.1 (2019-05-13)
112------------------
113
114* Allow 'null' in ``CORS_ORIGIN_WHITELIST`` check.
115
1163.0.0 (2019-05-10)
117------------------
118
119* ``CORS_ORIGIN_WHITELIST`` now requires URI schemes, and optionally ports.
120  This is part of the CORS specification
121  (`Section 3.2 <https://tools.ietf.org/html/rfc6454#section-3.2>`_) that was
122  not implemented in this library, except from with the
123  ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the
124  CORS middleware would allow requests between schemes, for example from
125  insecure ``http://`` Origins to a secure ``https://`` site.
126
127  You will need to update your whitelist to include schemes, for example from
128  this:
129
130  .. code-block:: python
131
132      CORS_ORIGIN_WHITELIST = ["example.com"]
133
134  ...to this:
135
136  .. code-block:: python
137
138      CORS_ORIGIN_WHITELIST = ["https://example.com"]
139
140* Removed the ``CORS_MODEL`` setting, and associated class. It seems very few,
141  or no users were using it, since there were no bug reports since its move to
142  abstract in version 2.0.0 (2017-01-07). If you *are* using this
143  functionality, you can continue by changing your model to not inherit from
144  the abstract one, and add a signal handler for ``check_request_enabled`` that
145  reads from your model. Note you'll need to handle the move to include schemes
146  for Origins.
147
1482.5.3 (2019-04-28)
149------------------
150
151* Tested on Django 2.2. No changes were needed for compatibility.
152* Tested on Python 3.7. No changes were needed for compatibility.
153
1542.5.2 (2019-03-15)
155------------------
156
157* Improve inclusion of tests in ``sdist`` to ignore ``.pyc`` files.
158
1592.5.1 (2019-03-13)
160------------------
161
162* Include test infrastructure in ``sdist`` to allow consumers to use it.
163
1642.5.0 (2019-03-05)
165------------------
166
167* Drop Django 1.8, 1.9, and 1.10 support. Only Django 1.11+ is supported now.
168
1692.4.1 (2019-02-28)
170------------------
171
172* Fix ``DeprecationWarning`` from importing ``collections.abc.Sequence`` on
173  Python 3.7.
174
1752.4.0 (2018-07-18)
176------------------
177
178* Always add 'Origin' to the 'Vary' header for responses to enabled URL's,
179  to prevent caching of responses intended for one origin being served for
180  another.
181
1822.3.0 (2018-06-27)
183------------------
184
185* Match ``CORS_URLS_REGEX`` to ``request.path_info`` instead of
186  ``request.path``, so the patterns can work without knowing the site's path
187  prefix at configuration time.
188
1892.2.1 (2018-06-27)
190------------------
191
192* Add ``Content-Length`` header to CORS preflight requests. This fixes issues
193  with some HTTP proxies and servers, e.g. AWS Elastic Beanstalk.
194
1952.2.0 (2018-02-28)
196------------------
197
198* Django 2.0 compatibility. Again there were no changes to the actual library
199  code, so previous versions probably work.
200* Ensured that ``request._cors_enabled`` is always a ``bool()`` - previously it
201  could be set to a regex match object.
202
2032.1.0 (2017-05-28)
204------------------
205
206* Django 1.11 compatibility. There were no changes to the actual library code,
207  so previous versions probably work, though they weren't properly tested on
208  1.11.
209
2102.0.2 (2017-02-06)
211------------------
212
213* Fix when the check for ``CORS_MODEL`` is done to allow it to properly add
214  the headers and respond to ``OPTIONS`` requests.
215
2162.0.1 (2017-01-29)
217------------------
218
219* Add support for specifying 'null' in ``CORS_ORIGIN_WHITELIST``.
220
2212.0.0 (2017-01-07)
222------------------
223
224* Remove previously undocumented ``CorsModel`` as it was causing migration
225  issues. For backwards compatibility, any users previously using ``CorsModel``
226  should create a model in their own app that inherits from the new
227  ``AbstractCorsModel``, and to keep using the same data, set the model's
228  ``db_table`` to 'corsheaders_corsmodel'. Users not using ``CorsModel``
229  will find they have an unused table that they can drop.
230* Make sure that ``Access-Control-Allow-Credentials`` is in the response if the
231  client asks for it.
232
2331.3.1 (2016-11-09)
234------------------
235
236* Fix a bug with the single check if CORS enabled added in 1.3.0: on Django
237  < 1.10 shortcut responses could be generated by middleware above
238  ``CorsMiddleware``, before it processed the request, failing with an
239  ``AttributeError`` for ``request._cors_enabled``. Also clarified the docs
240  that ``CorsMiddleware`` should be kept as high as possible in your middleware
241  stack, above any middleware that can generate such responses.
242
2431.3.0 (2016-11-06)
244------------------
245
246* Add checks to validate the types of the settings.
247* Add the 'Do Not Track' header ``'DNT'`` to the default for
248  ``CORS_ALLOW_HEADERS``.
249* Add 'Origin' to the 'Vary' header of outgoing requests when not allowing all
250  origins, as per the CORS spec. Note this changes the way HTTP caching works
251  with your CORS-enabled responses.
252* Check whether CORS should be enabled on a request only once. This has had a
253  minor change on the conditions where any custom signals will be called -
254  signals will now always be called *before* ``HTTP_REFERER`` gets replaced,
255  whereas before they could be called before and after. Also this attaches the
256  attribute ``_cors_enabled`` to ``request`` - please take care that other
257  code you're running does not remove it.
258
2591.2.2 (2016-10-05)
260------------------
261
262* Add ``CorsModel.__str__`` for human-readable text
263* Add a signal that allows you to add code for more intricate control over when
264  CORS headers are added.
265
2661.2.1 (2016-09-30)
267------------------
268
269* Made settings dynamically respond to changes, and which allows you to import
270  the defaults for headers and methods in order to extend them.
271
2721.2.0 (2016-09-28)
273------------------
274
275* Drop Python 2.6 support.
276* Drop Django 1.3-1.7 support, as they are no longer supported.
277* Confirmed Django 1.9 support (no changes outside of tests were necessary).
278* Added Django 1.10 support.
279* Package as a universal wheel.
280
2811.1.0 (2014-12-15)
282------------------
283
284* django-cors-header now supports Django 1.8 with its new application loading
285  system! Thanks @jpadilla for making this possible and sorry for the delay in
286  making a release.
287
2881.0.0 (2014-12-13)
289------------------
290
291django-cors-headers is all grown-up :) Since it's been used in production for
292many many deployments, I think it's time we mark this as a stable release.
293
294* Switching this middleware versioning over to semantic versioning
295* #46 add user-agent and accept-encoding default headers
296* #45 pep-8 this big boy up
297
2980.13 (2014-08-14)
299-----------------
300
301* Add support for Python 3
302* Updated tests
303* Improved documentation
304* Small bugfixes
305
3060.12 (2013-09-24)
307-----------------
308
309* Added an option to selectively enable CORS only for specific URLs
310
3110.11 (2013-09-24)
312
313* Added the ability to specify a regex for whitelisting many origin hostnames
314  at once
315
3160.10 (2013-09-05)
317-----------------
318
319* Introduced port distinction for origin checking
320* Use ``urlparse`` for Python 3 support
321* Added testcases to project
322
3230.06 (2013-02-18)
324-----------------
325
326* Add support for exposed response headers
327
3280.05 (2013-01-26)
329-----------------
330
331* Fixed middleware to ensure correct response for CORS preflight requests
332
3330.04 (2013-01-25)
334-----------------
335
336* Add ``Access-Control-Allow-Credentials`` control to simple requests
337
3380.03 (2013-01-22)
339-----------------
340
341* Bugfix to repair mismatched default variable names
342
3430.02 (2013-01-19)
344-----------------
345
346* Refactor/pull defaults into separate file
347
3480.01 (2013-01-19)
349-----------------
350
351* Initial release
352