Changelog
### 3.0.0
```
------------------
* ``CORS_ORIGIN_WHITELIST`` now requires URI schemes, and optionally ports.
This is part of the CORS specification
(`Section 3.2 <https://tools.ietf.org/html/rfc6454section-3.2>`_) that was
not implemented in this library, except from with the
``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the
CORS middleware would allow requests between schemes, for example from
insecure ``http://`` Origins to a secure ``https://`` site.
You will need to update your whitelist to include schemes, for example from
this:
.. code-block:: python
CORS_ORIGIN_WHITELIST = ['example.com']
...to this:
.. code-block:: python
CORS_ORIGIN_WHITELIST = ['https://example.com']
* Removed the ``CORS_MODEL`` setting, and associated class. It seems very few,
or no users were using it, since there were no bug reports since its move to
abstract in version 2.0.0 (2017-01-07). If you *are* using this
functionality, you can continue by changing your model to not inherit from
the abstract one, and add a signal handler for ``check_request_enabled`` that
reads from your model. Note you'll need to handle the move to include schemes
for Origins.
```
### 2.5.3
```
------------------
* Tested on Django 2.2. No changes were needed for compatibility.
* Tested on Python 3.7. No changes were needed for compatibility.
```
Links
- PyPI: https://pypi.org/project/django-cors-headers
- Changelog: https://pyup.io/changelogs/django-cors-headers/
- Repo: https://github.com/ottoyiu/django-cors-headers
This PR updates django-cors-headers from 2.5.2 to 3.0.1.
Changelog
### 3.0.0 ``` ------------------ * ``CORS_ORIGIN_WHITELIST`` now requires URI schemes, and optionally ports. This is part of the CORS specification (`Section 3.2 <https://tools.ietf.org/html/rfc6454section-3.2>`_) that was not implemented in this library, except from with the ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure ``http://`` Origins to a secure ``https://`` site. You will need to update your whitelist to include schemes, for example from this: .. code-block:: python CORS_ORIGIN_WHITELIST = ['example.com'] ...to this: .. code-block:: python CORS_ORIGIN_WHITELIST = ['https://example.com'] * Removed the ``CORS_MODEL`` setting, and associated class. It seems very few, or no users were using it, since there were no bug reports since its move to abstract in version 2.0.0 (2017-01-07). If you *are* using this functionality, you can continue by changing your model to not inherit from the abstract one, and add a signal handler for ``check_request_enabled`` that reads from your model. Note you'll need to handle the move to include schemes for Origins. ``` ### 2.5.3 ``` ------------------ * Tested on Django 2.2. No changes were needed for compatibility. * Tested on Python 3.7. No changes were needed for compatibility. ```Links
- PyPI: https://pypi.org/project/django-cors-headers - Changelog: https://pyup.io/changelogs/django-cors-headers/ - Repo: https://github.com/ottoyiu/django-cors-headers