Django-cors-headers

------------------

* Add support for specifying 'null' in ``CORS_ORIGIN_WHITELIST``.

------------------

* Remove previously undocumented ``CorsModel`` as it was causing migration
issues. For backwards compatibility, any users previously using ``CorsModel``
should create a model in their own app that inherits from the new
``AbstractCorsModel``, and to keep using the same data, set the model's
``db_table`` to 'corsheaders_corsmodel'. Users not using ``CorsModel``
will find they have an unused table that they can drop.
* Make sure that ``Access-Control-Allow-Credentials`` is in the response if the
client asks for it.

------------------

* Fix a bug with the single check if CORS enabled added in 1.3.0: on Django
< 1.10 shortcut responses could be generated by middleware above
``CorsMiddleware``, before it processed the request, failing with an
``AttributeError`` for ``request._cors_enabled``. Also clarified the docs
that ``CorsMiddleware`` should be kept as high as possible in your middleware
stack, above any middleware that can generate such responses.

------------------

* Add checks to validate the types of the settings.
* Add the 'Do Not Track' header ``'DNT'`` to the default for
``CORS_ALLOW_HEADERS``.
* Add 'Origin' to the 'Vary' header of outgoing requests when not allowing all
origins, as per the CORS spec. Note this changes the way HTTP caching works
with your CORS-enabled responses.
* Check whether CORS should be enabled on a request only once. This has had a
minor change on the conditions where any custom signals will be called -
signals will now always be called *before* ``HTTP_REFERER`` gets replaced,
whereas before they could be called before and after. Also this attaches the
attribute ``_cors_enabled`` to ``request`` - please take care that other
code you're running does not remove it.

------------------

* Add ``CorsModel.__str__`` for human-readable text
* Add a signal that allows you to add code for more intricate control over when
CORS headers are added.

------------------

* Made settings dynamically respond to changes, and which allows you to import
the defaults for headers and methods in order to extend them.