- New release notes go here.
- Ensured that
request._cors_enabledis always abool()- previously it could be set to a regex match object.
- Django 1.11 compatibility. There were no changes to the actual library code, so previous versions probably work, though they weren't properly tested on 1.11.
- Fix when the check for
CORS_MODELis done to allow it to properly add the headers and respond toOPTIONSrequests.
- Add support for specifying 'null' in
CORS_ORIGIN_WHITELIST.
- Remove previously undocumented
CorsModelas it was causing migration issues. For backwards compatibility, any users previously usingCorsModelshould create a model in their own app that inherits from the newAbstractCorsModel, and to keep using the same data, set the model'sdb_tableto 'corsheaders_corsmodel'. Users not usingCorsModelwill find they have an unused table that they can drop. - Make sure that
Access-Control-Allow-Credentialsis in the response if the client asks for it.
- Fix a bug with the single check if CORS enabled added in 1.3.0: on Django
< 1.10 shortcut responses could be generated by middleware above
CorsMiddleware, before it processed the request, failing with anAttributeErrorforrequest._cors_enabled. Also clarified the docs thatCorsMiddlewareshould be kept as high as possible in your middleware stack, above any middleware that can generate such responses.
- Add checks to validate the types of the settings.
- Add the 'Do Not Track' header
'DNT'to the default forCORS_ALLOW_HEADERS. - Add 'Origin' to the 'Vary' header of outgoing requests when not allowing all origins, as per the CORS spec. Note this changes the way HTTP caching works with your CORS-enabled responses.
- Check whether CORS should be enabled on a request only once. This has had a
minor change on the conditions where any custom signals will be called -
signals will now always be called before
HTTP_REFERERgets replaced, whereas before they could be called before and after. Also this attaches the attribute_cors_enabledtorequest- please take care that other code you're running does not remove it.
- Add
CorsModel.__str__for human-readable text - Add a signal that allows you to add code for more intricate control over when CORS headers are added.
- Made settings dynamically respond to changes, and which allows you to import the defaults for headers and methods in order to extend them.
- Drop Python 2.6 support.
- Drop Django 1.3-1.7 support, as they are no longer supported.
- Confirmed Django 1.9 support (no changes outside of tests were necessary).
- Added Django 1.10 support.
- Package as a universal wheel.
- django-cors-header now supports Django 1.8 with its new application loading system! Thanks @jpadilla for making this possible and sorry for the delay in making a release.
django-cors-headers is all grown-up :) Since it's been used in production for many many deployments, I think it's time we mark this as a stable release.
- Switching this middleware versioning over to semantic versioning
- #46 add user-agent and accept-encoding default headers
- #45 pep-8 this big boy up
- Add support for Python 3
- Updated tests
- Improved docuemntation
- Small bugfixes
- Added an option to selectively enable CORS only for specific URLs
0.11 (2013-09-24)
- Added the ability to specify a regex for whitelisting many origin hostnames at once
- Introduced port distinction for origin checking
- Use
urlparsefor Python 3 support - Added testcases to project
- Add support for exposed response headers
- Fixed middleware to ensure correct response for CORS preflight requests
- Add
Access-Control-Allow-Credentialscontrol to simple requests
- Bugfix to repair mismatched default variable names
- Refactor/pull defaults into separate file
- Initial release