chore(api): update dependency django-cors-headers to v4 (develop)
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
django-cors-headers (changelog) | dependencies | major |
==3.13.0 -> ==4.3.1
|
Release Notes
adamchainz/django-cors-headers (django-cors-headers)
v4.3.1
-
Fixed ASGI compatibility on Python 3.12.
Thanks to Adrian Capitanu for the report in
Issue #​908 <https://github.com/adamchainz/django-cors-headers/issues/908>
__ and Rooyal inMR #​911 <https://github.com/adamchainz/django-cors-headers/pull/911>
__.
v4.3.0
-
Avoid adding the
access-control-allow-credentials
header to unallowed responses.Thanks to Adam Romanek in
MR #​888 <https://github.com/adamchainz/django-cors-headers/pull/888>
__. -
Support Django 5.0.
v4.2.0
- Drop Python 3.7 support.
v4.1.0
- Support Python 3.12.
v4.0.0
-
Add
CORS_ALLOW_PRIVATE_NETWORK
setting, which enables support for the Local Network Access draft specification.Thanks to Issac Kelly in
MR #​745 <https://github.com/adamchainz/django-cors-headers/pull/745>
__ and jjurgens0 inMR #​833 <https://github.com/adamchainz/django-cors-headers/pull/833>
__. -
Remove three headers from the default "accept list":
accept-encoding
,dnt
, andorigin
. These areForbidden header names <https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name>
__, which means requests JavaScript can never set them. Consequently, allowing them via CORS has no effect.Thanks to jub0bs for the report in
Issue #​842 <https://github.com/adamchainz/django-cors-headers/issues/842>
__. -
Drop the
CORS_REPLACE_HTTPS_REFERER
setting andCorsPostCsrfMiddleware
. Since Django 1.9, theCSRF_TRUSTED_ORIGINS
setting has been the preferred solution to making CSRF checks pass for CORS requests. The removed setting and middleware only existed as a workaround for Django versions before 1.9. -
Add async support to the middleware, reducing overhead on async views.
v3.14.0
-
Support Django 4.2.
-
Switch from
urlparse()
tourlsplit()
for URL parsing, reducing the middleware runtime up to 5%. This changes the type passed toorigin_found_in_white_lists()
, so if you have subclassed the middleware to override this method, you should check it is compatible (it most likely is).Thanks to Thibaut Decombe in
MR #​793 <https://github.com/adamchainz/django-cors-headers/pull/793>
__.
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.