Escape path before evaluating resource rules (thanks @praetorian-colby-morgan). Prior to this, flask-cors incorrectly
evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for
"/api/*" whereas the path actually expands simply to "/foo.txt"
Release 3.0.8
Fixes DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
Updated logging.warn to logging.warning (#234) Thanks Vaibhav
Release 3.0.6
Manual error in release process. Identical contents at 3.0.5.
Release 3.0.5
Fixes incorrect handling of regexes containg '[', and a few other special characters. https://github-redirect.dependabot.com/corydolphin/flask-cors/issues/212
Release 3.0.4
Handle response.headers being None. (Fixes issue #217) Thanks @dusktreader for the improvement!
Release 3.0.3
Ensure that an Origin of '*' is never sent if supports_credentials is True (fixes Issue #202)
If always_send=True, and '*' is in the allowed origins, and a request is made without an Origin header, no Access-Control-Allow-Origins header will now be returned. This is breaking if you depended on it, but was a bug as it goes against the spec.
Release 3.0.2
Fixes Issue #187: regression whereby header (and domain) matching was incorrectly case sensitive. Now it is not, making the behavior identical to 2.X and 1.X.
Release 3.0.1
Fixes Issue #183: regression whereby regular expressions for origins with an "?" are not properly matched.
This release is largely a number of small bug fixes and improvements, along with a default change in behavior, which is technically a breaking change.
Breaking Change
We added an always_send option, enabled by default, which makes Flask-CORS inject headers even if the request did not have an 'Origin' header. Because this makes debugging far easier, and has very little downside, it has also been set as the default, making it technically a breaking change. If this actually broke something for you, please let me know, and I'll help you work around it. (#156) c7a1ecdad375a796155da6aca6a1f750337175f3
Other improvements:
Adds building of universal wheels (#175) 4674c3d54260f8897bd18e5502509363dcd0d0da
Makes Flask-CORS compatible with OAuthLib's custom header class ... (#172) aaaf904845997a3b684bc6677bdfc91656a85a04
Fixes incorrect substring matches when strings are used as origins or headers (#165) 9cd3f295bd6b0ba87cc5f2afaca01b91ff43e72c
Fixes logging when unknown options are supplied (#152) bddb13ca6636c5d559ec67a95309c9607a3fcaba
Release 2.1.3
Fixes Vary:Origin header sending behavior when regex origins are used.
Escape path before evaluating resource rules (thanks to Colby Morgan). Prior to this, flask-cors incorrectly
evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for
"/api/*" whereas the path actually expands simply to "/foo.txt"
3.0.8
Fixes : DeprecationWarning: Using or importing the ABCs from 'collections' in Python 3.7.
Thank you @juanmaneo and @jdevera for the contribution.
3.0.7
Updated logging.warn to logging.warning (#234) Thanks Vaibhav
3.0.6
Manual error in release process. Identical contents at 3.0.5.
3.0.5
Fixes incorrect handling of regexes containg [, and a few other special characters. Fixes Issue #212
3.0.4
Handle response.headers being None. (Fixes issue #217)
3.0.3
Ensure that an Origin of '*' is never sent if supports_credentials is True (fixes Issue #202)
If always_send=True, and '*' is in the allowed origins, and a request is made without an Origin header, no Access-Control-Allow-Origins header will now be returned. This is breaking if you depended on it, but was a bug as it goes against the spec.
3.0.2
Fixes Issue #187: regression whereby header (and domain) matching was incorrectly case sensitive. Now it is not, making the behavior identical to 2.X and 1.X.
3.0.1
Fixes Issue #183: regression whereby regular expressions for origins with an "?" are not properly matched.
3.0.0
This release is largely a number of small bug fixes and improvements, along with a default change in behavior, which is technically a breaking change.
Breaking Change
We added an always_send option, enabled by default, which makes Flask-CORS inject headers even if the request did not have an 'Origin' header. Because this makes debugging far easier, and has very little downside, it has also been set as the default, making it technically a breaking change. If this actually broke something for you, please let me know, and I'll help you work around it. (#156) c7a1ecdad375a796155da6aca6a1f750337175f3
Other improvements:
Adds building of universal wheels (#175) 4674c3d54260f8897bd18e5502509363dcd0d0da
Makes Flask-CORS compatible with OAuthLib's custom header class ... (#172) aaaf904845997a3b684bc6677bdfc91656a85a04
Fixes incorrect substring matches when strings are used as origins or headers (#165) 9cd3f295bd6b0ba87cc5f2afaca01b91ff43e72c
Fixes logging when unknown options are supplied (#152) bddb13ca6636c5d559ec67a95309c9607a3fcaba
2.1.3
Fixes Vary:Origin header sending behavior when regex origins are used.
Commits
91babb9 Update Api docs for credentialed requests (#221)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/manu-chroma/username-availability-checker/network/alerts).
Bumps flask-cors from 2.1.2 to 3.0.9.
Release notes
Sourced from flask-cors's releases.
Changelog
Sourced from flask-cors's changelog.
Commits
91babb9Update Api docs for credentialed requests (#221)522d989Release version 3.0.9 (#273)67c4b2cFix request path normalization (#272)5c6e05edocs: Fix simple typo, garaunteed -> guaranteed566aef2Fixed over-indentation8a4e6e7Update changelog to give proper kudos to@juanmaneoand@jdeverac93f4e4Fix DeprecationWarning on python 3.7 for python 3.813fbb1eRelease 3.0.7 (#235)c2fc616Release 3.0.79f56fd7Updated logging.warn to logging.warning (#234)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/manu-chroma/username-availability-checker/network/alerts).