1======= 2History 3======= 4 53.10.1 (2021-12-05) 6------------------- 7 8* Prevent a crash when an invalid ``Origin`` header is sent. 9 10 Thanks to minusf for the report in `Issue #701 <https://github.com/adamchainz/django-cors-headers/issues/701>`__. 11 123.10.0 (2021-10-05) 13------------------- 14 15* Support Python 3.10. 16 173.9.0 (2021-09-28) 18------------------ 19 20* Support Django 4.0. 21 223.8.0 (2021-08-15) 23------------------ 24 25* Add type hints. 26 27* Stop distributing tests to reduce package size. Tests are not intended to be 28 run outside of the tox setup in the repository. Repackagers can use GitHub's 29 tarballs per tag. 30 313.7.0 (2021-01-25) 32------------------ 33 34* Support Django 3.2. 35 363.6.0 (2020-12-13) 37------------------ 38 39* Drop Python 3.5 support. 40* Support Python 3.9. 41 423.5.0 (2020-08-25) 43------------------ 44 45* Following Django’s example in 46 `Ticket #31670 <https://code.djangoproject.com/ticket/31670>`__ for replacing 47 the term “whitelist”, plus an aim to make the setting names more 48 comprehensible, the following settings have been renamed: 49 50 * ``CORS_ORIGIN_WHITELIST`` -> ``CORS_ALLOWED_ORIGINS`` 51 * ``CORS_ORIGIN_REGEX_WHITELIST`` -> ``CORS_ALLOWED_ORIGIN_REGEXES`` 52 * ``CORS_ORIGIN_ALLOW_ALL`` -> ``CORS_ALLOW_ALL_ORIGINS`` 53 54 The old names will continue to work as aliases, with the new ones taking 55 precedence. 56 573.4.0 (2020-06-19) 58------------------ 59 60* Drop Django 2.0 and 2.1 support. 61 623.4.0 (2020-06-15) 63------------------ 64 65* Add Django 3.1 support. 66 673.3.0 (2020-05-18) 68------------------ 69 70* Drop Django 1.11 support. Only Django 2.0+ is supported now. 71* Drop the ``providing_args`` argument from ``Signal`` to prevent a deprecation 72 warning on Django 3.1. 73 743.2.1 (2020-01-04) 75------------------ 76 77* Update LICENSE file to Unix line endings, fixing issues with license checker 78 ``pip-licenses`` (`Issue 79 #477 <https://github.com/adamchainz/django-cors-headers/issues/477>`__). 80 813.2.0 (2019-11-15) 82------------------ 83 84* Converted setuptools metadata to configuration file. This meant removing the 85 ``__version__`` attribute from the package. If you want to inspect the 86 installed version, use 87 ``importlib.metadata.version("django-cors-headers")`` 88 (`docs <https://docs.python.org/3.8/library/importlib.metadata.html#distribution-versions>`__ / 89 `backport <https://pypi.org/project/importlib-metadata/>`__). 90* Support Python 3.8. 91 923.1.1 (2019-09-30) 93------------------ 94 95* Support the value `file://` for origins, which is accidentally sent by some 96 versions of Chrome on Android. 97 983.1.0 (2019-08-13) 99------------------ 100 101* Drop Python 2 support, only Python 3.5-3.7 is supported now. 102* Fix all links for move from ``github.com/ottoyiu/django-cors-headers`` to 103 ``github.com/adamchainz/django-cors-headers``. 104 1053.0.2 (2019-05-28) 106------------------ 107 108* Add a hint to the ``corsheaders.E013`` check to make it more obvious how to 109 resolve it. 110 1113.0.1 (2019-05-13) 112------------------ 113 114* Allow 'null' in ``CORS_ORIGIN_WHITELIST`` check. 115 1163.0.0 (2019-05-10) 117------------------ 118 119* ``CORS_ORIGIN_WHITELIST`` now requires URI schemes, and optionally ports. 120 This is part of the CORS specification 121 (`Section 3.2 <https://tools.ietf.org/html/rfc6454#section-3.2>`_) that was 122 not implemented in this library, except from with the 123 ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the 124 CORS middleware would allow requests between schemes, for example from 125 insecure ``http://`` Origins to a secure ``https://`` site. 126 127 You will need to update your whitelist to include schemes, for example from 128 this: 129 130 .. code-block:: python 131 132 CORS_ORIGIN_WHITELIST = ["example.com"] 133 134 ...to this: 135 136 .. code-block:: python 137 138 CORS_ORIGIN_WHITELIST = ["https://example.com"] 139 140* Removed the ``CORS_MODEL`` setting, and associated class. It seems very few, 141 or no users were using it, since there were no bug reports since its move to 142 abstract in version 2.0.0 (2017-01-07). If you *are* using this 143 functionality, you can continue by changing your model to not inherit from 144 the abstract one, and add a signal handler for ``check_request_enabled`` that 145 reads from your model. Note you'll need to handle the move to include schemes 146 for Origins. 147 1482.5.3 (2019-04-28) 149------------------ 150 151* Tested on Django 2.2. No changes were needed for compatibility. 152* Tested on Python 3.7. No changes were needed for compatibility. 153 1542.5.2 (2019-03-15) 155------------------ 156 157* Improve inclusion of tests in ``sdist`` to ignore ``.pyc`` files. 158 1592.5.1 (2019-03-13) 160------------------ 161 162* Include test infrastructure in ``sdist`` to allow consumers to use it. 163 1642.5.0 (2019-03-05) 165------------------ 166 167* Drop Django 1.8, 1.9, and 1.10 support. Only Django 1.11+ is supported now. 168 1692.4.1 (2019-02-28) 170------------------ 171 172* Fix ``DeprecationWarning`` from importing ``collections.abc.Sequence`` on 173 Python 3.7. 174 1752.4.0 (2018-07-18) 176------------------ 177 178* Always add 'Origin' to the 'Vary' header for responses to enabled URL's, 179 to prevent caching of responses intended for one origin being served for 180 another. 181 1822.3.0 (2018-06-27) 183------------------ 184 185* Match ``CORS_URLS_REGEX`` to ``request.path_info`` instead of 186 ``request.path``, so the patterns can work without knowing the site's path 187 prefix at configuration time. 188 1892.2.1 (2018-06-27) 190------------------ 191 192* Add ``Content-Length`` header to CORS preflight requests. This fixes issues 193 with some HTTP proxies and servers, e.g. AWS Elastic Beanstalk. 194 1952.2.0 (2018-02-28) 196------------------ 197 198* Django 2.0 compatibility. Again there were no changes to the actual library 199 code, so previous versions probably work. 200* Ensured that ``request._cors_enabled`` is always a ``bool()`` - previously it 201 could be set to a regex match object. 202 2032.1.0 (2017-05-28) 204------------------ 205 206* Django 1.11 compatibility. There were no changes to the actual library code, 207 so previous versions probably work, though they weren't properly tested on 208 1.11. 209 2102.0.2 (2017-02-06) 211------------------ 212 213* Fix when the check for ``CORS_MODEL`` is done to allow it to properly add 214 the headers and respond to ``OPTIONS`` requests. 215 2162.0.1 (2017-01-29) 217------------------ 218 219* Add support for specifying 'null' in ``CORS_ORIGIN_WHITELIST``. 220 2212.0.0 (2017-01-07) 222------------------ 223 224* Remove previously undocumented ``CorsModel`` as it was causing migration 225 issues. For backwards compatibility, any users previously using ``CorsModel`` 226 should create a model in their own app that inherits from the new 227 ``AbstractCorsModel``, and to keep using the same data, set the model's 228 ``db_table`` to 'corsheaders_corsmodel'. Users not using ``CorsModel`` 229 will find they have an unused table that they can drop. 230* Make sure that ``Access-Control-Allow-Credentials`` is in the response if the 231 client asks for it. 232 2331.3.1 (2016-11-09) 234------------------ 235 236* Fix a bug with the single check if CORS enabled added in 1.3.0: on Django 237 < 1.10 shortcut responses could be generated by middleware above 238 ``CorsMiddleware``, before it processed the request, failing with an 239 ``AttributeError`` for ``request._cors_enabled``. Also clarified the docs 240 that ``CorsMiddleware`` should be kept as high as possible in your middleware 241 stack, above any middleware that can generate such responses. 242 2431.3.0 (2016-11-06) 244------------------ 245 246* Add checks to validate the types of the settings. 247* Add the 'Do Not Track' header ``'DNT'`` to the default for 248 ``CORS_ALLOW_HEADERS``. 249* Add 'Origin' to the 'Vary' header of outgoing requests when not allowing all 250 origins, as per the CORS spec. Note this changes the way HTTP caching works 251 with your CORS-enabled responses. 252* Check whether CORS should be enabled on a request only once. This has had a 253 minor change on the conditions where any custom signals will be called - 254 signals will now always be called *before* ``HTTP_REFERER`` gets replaced, 255 whereas before they could be called before and after. Also this attaches the 256 attribute ``_cors_enabled`` to ``request`` - please take care that other 257 code you're running does not remove it. 258 2591.2.2 (2016-10-05) 260------------------ 261 262* Add ``CorsModel.__str__`` for human-readable text 263* Add a signal that allows you to add code for more intricate control over when 264 CORS headers are added. 265 2661.2.1 (2016-09-30) 267------------------ 268 269* Made settings dynamically respond to changes, and which allows you to import 270 the defaults for headers and methods in order to extend them. 271 2721.2.0 (2016-09-28) 273------------------ 274 275* Drop Python 2.6 support. 276* Drop Django 1.3-1.7 support, as they are no longer supported. 277* Confirmed Django 1.9 support (no changes outside of tests were necessary). 278* Added Django 1.10 support. 279* Package as a universal wheel. 280 2811.1.0 (2014-12-15) 282------------------ 283 284* django-cors-header now supports Django 1.8 with its new application loading 285 system! Thanks @jpadilla for making this possible and sorry for the delay in 286 making a release. 287 2881.0.0 (2014-12-13) 289------------------ 290 291django-cors-headers is all grown-up :) Since it's been used in production for 292many many deployments, I think it's time we mark this as a stable release. 293 294* Switching this middleware versioning over to semantic versioning 295* #46 add user-agent and accept-encoding default headers 296* #45 pep-8 this big boy up 297 2980.13 (2014-08-14) 299----------------- 300 301* Add support for Python 3 302* Updated tests 303* Improved documentation 304* Small bugfixes 305 3060.12 (2013-09-24) 307----------------- 308 309* Added an option to selectively enable CORS only for specific URLs 310 3110.11 (2013-09-24) 312 313* Added the ability to specify a regex for whitelisting many origin hostnames 314 at once 315 3160.10 (2013-09-05) 317----------------- 318 319* Introduced port distinction for origin checking 320* Use ``urlparse`` for Python 3 support 321* Added testcases to project 322 3230.06 (2013-02-18) 324----------------- 325 326* Add support for exposed response headers 327 3280.05 (2013-01-26) 329----------------- 330 331* Fixed middleware to ensure correct response for CORS preflight requests 332 3330.04 (2013-01-25) 334----------------- 335 336* Add ``Access-Control-Allow-Credentials`` control to simple requests 337 3380.03 (2013-01-22) 339----------------- 340 341* Bugfix to repair mismatched default variable names 342 3430.02 (2013-01-19) 344----------------- 345 346* Refactor/pull defaults into separate file 347 3480.01 (2013-01-19) 349----------------- 350 351* Initial release 352