Changelog
*Sourced from [django-cors-headers's changelog](https://github.com/ottoyiu/django-cors-headers/blob/master/HISTORY.rst).*
> 3.0.2 (2019-05-28)
> ==================
>
> - Add a hint to the `corsheaders.E013` check to make it more obvious how to resolve it.
>
> 3.0.1 (2019-05-13)
> ==================
>
> - Allow 'null' in `CORS_ORIGIN_WHITELIST` check.
>
> 3.0.0 (2019-05-10)
> ==================
>
> - `CORS_ORIGIN_WHITELIST` now requires URI schemes, and optionally ports. This is part of the CORS specification ([Section 3.2](https://tools.ietf.org/html/rfc6454#section-3.2)) that was not implemented in this library, except from with the `CORS_ORIGIN_REGEX_WHITELIST` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure `http://` Origins to a secure `https://` site.
>
> You will need to update your whitelist to include schemes, for example from this:
>
> ``` {.sourceCode .python}
> CORS_ORIGIN_WHITELIST = ['example.com']
> ```
>
> ...to this:
>
> ``` {.sourceCode .python}
> CORS_ORIGIN_WHITELIST = ['https://example.com']
> ```
>
> - Removed the `CORS_MODEL` setting, and associated class. It seems very few, or no users were using it, since there were no bug reports since its move to abstract in version 2.0.0 (2017-01-07). If you *are* using this functionality, you can continue by changing your model to not inherit from the abstract one, and add a signal handler for `check_request_enabled` that reads from your model. Note you'll need to handle the move to include schemes for Origins.
>
> 2.5.3 (2019-04-28)
> ==================
>
> - Tested on Django 2.2. No changes were needed for compatibility.
> - Tested on Python 3.7. No changes were needed for compatibility.
>
> 2.5.2 (2019-03-15)
> ==================
>
> - Improve inclusion of tests in `sdist` to ignore `.pyc` files.
>
> 2.5.1 (2019-03-13)
> ==================
>
> - Include test infrastructure in `sdist` to allow consumers to use it.
>
> 2.5.0 (2019-03-05)
> ==================
>
> - Drop Django 1.8, 1.9, and 1.10 support. Only Django 1.11+ is supported now.
>
> ... (truncated)
Commits
- [`decf922`](https://github.com/ottoyiu/django-cors-headers/commit/decf9224a9370cc2e03d607cc08c1b86efb3f777) Version 3.0.2
- [`b6ece6c`](https://github.com/ottoyiu/django-cors-headers/commit/b6ece6cf140d73219a123973b1bae2b683e630e9) Add a hint to the corsheaders.E013 check ([#417](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/417))
- [`4fccdee`](https://github.com/ottoyiu/django-cors-headers/commit/4fccdeeed2e553b03cb3f352ae9880c83d3212bd) Version 3.0.1
- [`2fe8a25`](https://github.com/ottoyiu/django-cors-headers/commit/2fe8a2538cc9a1fa32eb2da72116137a673d7a77) Allow 'null' in CORS_ORIGIN_WHITELIST check ([#405](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/405)) ([#406](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/406))
- [`6ed773b`](https://github.com/ottoyiu/django-cors-headers/commit/6ed773b29868d3441514098909bd99de8be14c56) Tidy README ([#402](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/402))
- [`2781104`](https://github.com/ottoyiu/django-cors-headers/commit/27811043546f44c9b7ad5c558cc041fb97a8af5c) Added pypi badge ([#401](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/401))
- [`b7abe70`](https://github.com/ottoyiu/django-cors-headers/commit/b7abe709dfeb7f4d05daf28d1a09b3cdf4e5deec) Version 3.0.0
- [`3c69f76`](https://github.com/ottoyiu/django-cors-headers/commit/3c69f76159e6634ab526666db73ac5ea0d8899a3) Remove relative imports ([#398](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/398))
- [`ad6c097`](https://github.com/ottoyiu/django-cors-headers/commit/ad6c0979c0bbc06fc621cde73b724078aa47b5a3) Remove tests.testapp ([#399](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/399))
- [`f79eb51`](https://github.com/ottoyiu/django-cors-headers/commit/f79eb5172c352c5cd9fdafe113b65b95a36c6553) Require scheme in origins ([#397](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/397))
- Additional commits viewable in [compare view](https://github.com/ottoyiu/django-cors-headers/compare/1.2.0...3.0.2)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps django-cors-headers from 1.2.0 to 3.0.2.
Changelog
*Sourced from [django-cors-headers's changelog](https://github.com/ottoyiu/django-cors-headers/blob/master/HISTORY.rst).* > 3.0.2 (2019-05-28) > ================== > > - Add a hint to the `corsheaders.E013` check to make it more obvious how to resolve it. > > 3.0.1 (2019-05-13) > ================== > > - Allow 'null' in `CORS_ORIGIN_WHITELIST` check. > > 3.0.0 (2019-05-10) > ================== > > - `CORS_ORIGIN_WHITELIST` now requires URI schemes, and optionally ports. This is part of the CORS specification ([Section 3.2](https://tools.ietf.org/html/rfc6454#section-3.2)) that was not implemented in this library, except from with the `CORS_ORIGIN_REGEX_WHITELIST` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure `http://` Origins to a secure `https://` site. > > You will need to update your whitelist to include schemes, for example from this: > > ``` {.sourceCode .python} > CORS_ORIGIN_WHITELIST = ['example.com'] > ``` > > ...to this: > > ``` {.sourceCode .python} > CORS_ORIGIN_WHITELIST = ['https://example.com'] > ``` > > - Removed the `CORS_MODEL` setting, and associated class. It seems very few, or no users were using it, since there were no bug reports since its move to abstract in version 2.0.0 (2017-01-07). If you *are* using this functionality, you can continue by changing your model to not inherit from the abstract one, and add a signal handler for `check_request_enabled` that reads from your model. Note you'll need to handle the move to include schemes for Origins. > > 2.5.3 (2019-04-28) > ================== > > - Tested on Django 2.2. No changes were needed for compatibility. > - Tested on Python 3.7. No changes were needed for compatibility. > > 2.5.2 (2019-03-15) > ================== > > - Improve inclusion of tests in `sdist` to ignore `.pyc` files. > > 2.5.1 (2019-03-13) > ================== > > - Include test infrastructure in `sdist` to allow consumers to use it. > > 2.5.0 (2019-03-05) > ================== > > - Drop Django 1.8, 1.9, and 1.10 support. Only Django 1.11+ is supported now. > > ... (truncated)Commits
- [`decf922`](https://github.com/ottoyiu/django-cors-headers/commit/decf9224a9370cc2e03d607cc08c1b86efb3f777) Version 3.0.2 - [`b6ece6c`](https://github.com/ottoyiu/django-cors-headers/commit/b6ece6cf140d73219a123973b1bae2b683e630e9) Add a hint to the corsheaders.E013 check ([#417](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/417)) - [`4fccdee`](https://github.com/ottoyiu/django-cors-headers/commit/4fccdeeed2e553b03cb3f352ae9880c83d3212bd) Version 3.0.1 - [`2fe8a25`](https://github.com/ottoyiu/django-cors-headers/commit/2fe8a2538cc9a1fa32eb2da72116137a673d7a77) Allow 'null' in CORS_ORIGIN_WHITELIST check ([#405](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/405)) ([#406](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/406)) - [`6ed773b`](https://github.com/ottoyiu/django-cors-headers/commit/6ed773b29868d3441514098909bd99de8be14c56) Tidy README ([#402](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/402)) - [`2781104`](https://github.com/ottoyiu/django-cors-headers/commit/27811043546f44c9b7ad5c558cc041fb97a8af5c) Added pypi badge ([#401](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/401)) - [`b7abe70`](https://github.com/ottoyiu/django-cors-headers/commit/b7abe709dfeb7f4d05daf28d1a09b3cdf4e5deec) Version 3.0.0 - [`3c69f76`](https://github.com/ottoyiu/django-cors-headers/commit/3c69f76159e6634ab526666db73ac5ea0d8899a3) Remove relative imports ([#398](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/398)) - [`ad6c097`](https://github.com/ottoyiu/django-cors-headers/commit/ad6c0979c0bbc06fc621cde73b724078aa47b5a3) Remove tests.testapp ([#399](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/399)) - [`f79eb51`](https://github.com/ottoyiu/django-cors-headers/commit/f79eb5172c352c5cd9fdafe113b65b95a36c6553) Require scheme in origins ([#397](https://github-redirect.dependabot.com/ottoyiu/django-cors-headers/issues/397)) - Additional commits viewable in [compare view](https://github.com/ottoyiu/django-cors-headers/compare/1.2.0...3.0.2)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.