Update django-cors-headers to 4.6.0

[pyup-bot]

This PR updates django-cors-headers from 2.1.0 to 4.6.0.

Changelog

4.6.0

------------------

* Drop Django 3.2 to 4.1 support.

4.5.0

------------------

* Drop Python 3.8 support.

* Support Python 3.13.

4.4.0

------------------

* Support Django 5.1.

4.3.1

------------------

* Fixed ASGI compatibility on Python 3.12.

Thanks to Adrian Capitanu for the report in `Issue 908 <https://github.com/adamchainz/django-cors-headers/issues/908>`__ and Rooyal in `PR #911 <https://github.com/adamchainz/django-cors-headers/pull/911>`__.

4.3.0

------------------

* Avoid adding the ``access-control-allow-credentials`` header to unallowed responses.

Thanks to Adam Romanek in `PR 888 <https://github.com/adamchainz/django-cors-headers/pull/888>`__.

* Support Django 5.0.

4.2.0

------------------

* Drop Python 3.7 support.

4.1.0

------------------

* Support Python 3.12.

4.0.0

------------------

* Add ``CORS_ALLOW_PRIVATE_NETWORK`` setting, which enables support for the Local Network Access draft specification.

Thanks to Issac Kelly in `PR 745 <https://github.com/adamchainz/django-cors-headers/pull/745>`__ and jjurgens0 in `PR #833 <https://github.com/adamchainz/django-cors-headers/pull/833>`__.

* Remove three headers from the default "accept list": ``accept-encoding``, ``dnt``, and ``origin``.
These are `Forbidden header names <https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name>`__, which means requests JavaScript can never set them.
Consequently, allowing them via CORS has no effect.

Thanks to jub0bs for the report in `Issue 842 <https://github.com/adamchainz/django-cors-headers/issues/842>`__.

* Drop the ``CORS_REPLACE_HTTPS_REFERER`` setting and ``CorsPostCsrfMiddleware``.
Since Django 1.9, the ``CSRF_TRUSTED_ORIGINS`` setting has been the preferred solution to making CSRF checks pass for CORS requests.
The removed setting and middleware only existed as a workaround for Django versions before 1.9.

* Add async support to the middleware, reducing overhead on async views.

3.14.0

-------------------

* Support Django 4.2.

* Switch from ``urlparse()`` to ``urlsplit()`` for URL parsing, reducing the middleware runtime up to 5%.
This changes the type passed to ``origin_found_in_white_lists()``, so if you have subclassed the middleware to override this method, you should check it is compatible (it most likely is).

Thanks to Thibaut Decombe in `PR 793 <https://github.com/adamchainz/django-cors-headers/pull/793>`__.

3.13.0

-------------------

* Support Python 3.11.

* Support Django 4.1.

3.12.0

-------------------

* Drop support for Django 2.2, 3.0, and 3.1.

3.11.0

-------------------

* Drop Python 3.6 support.

3.10.1

-------------------

* Prevent a crash when an invalid ``Origin`` header is sent.

Thanks to minusf for the report in `Issue 701 <https://github.com/adamchainz/django-cors-headers/issues/701>`__.

3.10.0

-------------------

* Support Python 3.10.

3.9.0

------------------

* Support Django 4.0.

3.8.0

------------------

* Add type hints.

* Stop distributing tests to reduce package size. Tests are not intended to be
run outside of the tox setup in the repository. Repackagers can use GitHub's
tarballs per tag.

3.7.0

------------------

* Support Django 3.2.

3.6.0

------------------

* Drop Python 3.5 support.
* Support Python 3.9.

3.5.0

------------------

* Following Django’s example in
`Ticket 31670 <https://code.djangoproject.com/ticket/31670>`__ for replacing
the term “whitelist”, plus an aim to make the setting names more
comprehensible, the following settings have been renamed:

* ``CORS_ORIGIN_WHITELIST`` -> ``CORS_ALLOWED_ORIGINS``
* ``CORS_ORIGIN_REGEX_WHITELIST`` -> ``CORS_ALLOWED_ORIGIN_REGEXES``
* ``CORS_ORIGIN_ALLOW_ALL`` -> ``CORS_ALLOW_ALL_ORIGINS``

The old names will continue to work as aliases, with the new ones taking
precedence.

3.4.0

------------------

* Add Django 3.1 support.

3.3.0

------------------

* Drop Django 1.11 support. Only Django 2.0+ is supported now.
* Drop the ``providing_args`` argument from ``Signal`` to prevent a deprecation
warning on Django 3.1.

3.2.1

------------------

* Update LICENSE file to Unix line endings, fixing issues with license checker
``pip-licenses`` (`Issue
477 <https://github.com/adamchainz/django-cors-headers/issues/477>`__).

3.2.0

------------------

* Converted setuptools metadata to configuration file. This meant removing the
``__version__`` attribute from the package. If you want to inspect the
installed version, use
``importlib.metadata.version("django-cors-headers")``
(`docs <https://docs.python.org/3.8/library/importlib.metadata.html#distribution-versions>`__ /
`backport <https://pypi.org/project/importlib-metadata/>`__).
* Support Python 3.8.

3.1.1

------------------

* Support the value `file://` for origins, which is accidentally sent by some
versions of Chrome on Android.

3.1.0

------------------

* Drop Python 2 support, only Python 3.5-3.7 is supported now.
* Fix all links for move from ``github.com/ottoyiu/django-cors-headers`` to
``github.com/adamchainz/django-cors-headers``.

3.0.2

------------------

* Add a hint to the ``corsheaders.E013`` check to make it more obvious how to
resolve it.

3.0.1

------------------

* Allow 'null' in ``CORS_ORIGIN_WHITELIST`` check.

3.0.0

------------------

* ``CORS_ORIGIN_WHITELIST`` now requires URI schemes, and optionally ports.
This is part of the CORS specification
(`Section 3.2 <https://tools.ietf.org/html/rfc6454#section-3.2>`_) that was
not implemented in this library, except from with the
``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the
CORS middleware would allow requests between schemes, for example from
insecure ``http://`` Origins to a secure ``https://`` site.

You will need to update your whitelist to include schemes, for example from
this:

.. code-block:: python

   CORS_ORIGIN_WHITELIST = ["example.com"]

...to this:

.. code-block:: python

   CORS_ORIGIN_WHITELIST = ["https://example.com"]

* Removed the ``CORS_MODEL`` setting, and associated class. It seems very few,
or no users were using it, since there were no bug reports since its move to
abstract in version 2.0.0 (2017-01-07). If you *are* using this
functionality, you can continue by changing your model to not inherit from
the abstract one, and add a signal handler for ``check_request_enabled`` that
reads from your model. Note you'll need to handle the move to include schemes
for Origins.

2.5.3

------------------

* Tested on Django 2.2. No changes were needed for compatibility.
* Tested on Python 3.7. No changes were needed for compatibility.

2.5.2

------------------

* Improve inclusion of tests in ``sdist`` to ignore ``.pyc`` files.

2.5.1

------------------

* Include test infrastructure in ``sdist`` to allow consumers to use it.

2.5.0

------------------

* Drop Django 1.8, 1.9, and 1.10 support. Only Django 1.11+ is supported now.

2.4.1

------------------

* Fix ``DeprecationWarning`` from importing ``collections.abc.Sequence`` on
Python 3.7.

2.4.0

------------------

* Always add 'Origin' to the 'Vary' header for responses to enabled URL's,
to prevent caching of responses intended for one origin being served for
another.

2.3.0

------------------

* Match ``CORS_URLS_REGEX`` to ``request.path_info`` instead of
``request.path``, so the patterns can work without knowing the site's path
prefix at configuration time.

2.2.1

------------------

* Add ``Content-Length`` header to CORS preflight requests. This fixes issues
with some HTTP proxies and servers, e.g. AWS Elastic Beanstalk.

2.2.0

------------------

* Django 2.0 compatibility. Again there were no changes to the actual library
code, so previous versions probably work.
* Ensured that ``request._cors_enabled`` is always a ``bool()`` - previously it
could be set to a regex match object.

Links

• PyPI: https://pypi.org/project/django-cors-headers
• Changelog: https://data.safetycli.com/changelogs/django-cors-headers/