chore(api): update dependency django-cors-headers to v4 (develop)
Compare changes
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
django-cors-headers (changelog) | dependencies | major |
==3.13.0 -> ==4.3.1
|
v4.3.1
Fixed ASGI compatibility on Python 3.12.
Thanks to Adrian Capitanu for the report in Issue #​908 <https://github.com/adamchainz/django-cors-headers/issues/908>
__ and Rooyal in MR #​911 <https://github.com/adamchainz/django-cors-headers/pull/911>
__.
v4.3.0
Avoid adding the access-control-allow-credentials
header to unallowed responses.
Thanks to Adam Romanek in MR #​888 <https://github.com/adamchainz/django-cors-headers/pull/888>
__.
Support Django 5.0.
v4.2.0
v4.1.0
v4.0.0
Add CORS_ALLOW_PRIVATE_NETWORK
setting, which enables support for the Local Network Access draft specification.
Thanks to Issac Kelly in MR #​745 <https://github.com/adamchainz/django-cors-headers/pull/745>
__ and jjurgens0 in MR #​833 <https://github.com/adamchainz/django-cors-headers/pull/833>
__.
Remove three headers from the default "accept list": accept-encoding
, dnt
, and origin
.
These are Forbidden header names <https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name>
__, which means requests JavaScript can never set them.
Consequently, allowing them via CORS has no effect.
Thanks to jub0bs for the report in Issue #​842 <https://github.com/adamchainz/django-cors-headers/issues/842>
__.
Drop the CORS_REPLACE_HTTPS_REFERER
setting and CorsPostCsrfMiddleware
.
Since Django 1.9, the CSRF_TRUSTED_ORIGINS
setting has been the preferred solution to making CSRF checks pass for CORS requests.
The removed setting and middleware only existed as a workaround for Django versions before 1.9.
Add async support to the middleware, reducing overhead on async views.
v3.14.0
Support Django 4.2.
Switch from urlparse()
to urlsplit()
for URL parsing, reducing the middleware runtime up to 5%.
This changes the type passed to origin_found_in_white_lists()
, so if you have subclassed the middleware to override this method, you should check it is compatible (it most likely is).
Thanks to Thibaut Decombe in MR #​793 <https://github.com/adamchainz/django-cors-headers/pull/793>
__.
This MR has been generated by Renovate Bot.