Use new maintained django-cors-headers package

readthedocs/settings/base.py

@@ -9,6 +9,7 @@
 from celery.schedules import crontab
 
 from readthedocs.core.logs import shared_processors
+from corsheaders.defaults import default_headers
 from readthedocs.core.settings import Settings
 
 
@@ -277,14 +278,14 @@ def MIDDLEWARE(self):
             'readthedocs.core.middleware.NullCharactersMiddleware',
             'readthedocs.core.middleware.ReadTheDocsSessionMiddleware',
             'django.middleware.locale.LocaleMiddleware',
+            'corsheaders.middleware.CorsMiddleware',
             'django.middleware.common.CommonMiddleware',
             'django.middleware.security.SecurityMiddleware',
             'django.middleware.csrf.CsrfViewMiddleware',
             'django.middleware.clickjacking.XFrameOptionsMiddleware',
             'django.contrib.auth.middleware.AuthenticationMiddleware',
             'django.contrib.messages.middleware.MessageMiddleware',
             'dj_pagination.middleware.PaginationMiddleware',
-            'corsheaders.middleware.CorsMiddleware',
             'csp.middleware.CSPMiddleware',
             'readthedocs.core.middleware.ReferrerPolicyMiddleware',
             'simple_history.middleware.HistoryRequestMiddleware',
@@ -734,22 +735,25 @@ def DOCKER_LIMITS(self):
     # users to CSRF attacks. The sustainability API is the only view that requires
     # cookies to be send cross-site, we override that for that view only.
     CORS_ALLOW_CREDENTIALS = False
-    CORS_ALLOW_HEADERS = (
-        'x-requested-with',
-        'content-type',
-        'accept',
-        'origin',
-        'authorization',
+
+    # Allow cross-site requests from any origin,
+    # all information from our allowed endpoits is public.
+    # 
+    # NOTE: We don't use `CORS_ALLOW_ALL_ORIGINS=True`,
+    # since that will set the `Access-Control-Allow-Origin` header to `*`,
+    # we won't be able to pass credentials fo the sustainability API with that value.
+    CORS_ALLOWED_ORIGIN_REGEXES = [".*"]
+    CORS_ALLOW_HEADERS = list(default_headers) + [
         'x-hoverxref-version',
-        'x-csrftoken'
-    )
+    ]
     # Additional protection to allow only idempotent methods.
     CORS_ALLOW_METHODS = [
         'GET',
         'OPTIONS',
         'HEAD',
     ]
 
+    # TODO: missing to migrate https://github.com/adamchainz/django-cors-headers/issues/830.
     # URLs to allow CORS to read from unauthed.
     CORS_URLS_ALLOW_ALL_REGEX = [
         r"^/api/v2/footer_html",

requirements/pip.in

@@ -107,9 +107,8 @@ dj-pagination
 # Version comparison stuff
 packaging
 
-# django-cors-middleware==1.5.0 fails with
-# AttributeError: 'dict' object has no attribute 'has_header'
-django-cors-middleware==1.4.0
+# Allow cross-site requests to some of our APIs.
+django-cors-headers
 
 # User agent parsing - used for analytics purposes
 user-agents

requirements/pip.txt

@@ -14,9 +14,9 @@ babel==2.11.0
     # via sphinx
 billiard==3.6.4.0
     # via celery
-boto3==1.26.64
+boto3==1.26.65
     # via django-storages
-botocore==1.29.64
+botocore==1.29.65
     # via
     #   boto3
     #   s3transfer
@@ -62,6 +62,7 @@ django==3.2.17
     #   dj-stripe
     #   django-allauth
     #   django-annoying
+    #   django-cors-headers
     #   django-csp
     #   django-debug-toolbar
     #   django-extensions
@@ -79,7 +80,7 @@ django-annoying==0.10.6
     # via -r requirements/pip.in
 django-autoslug==1.9.8
     # via -r requirements/pip.in
-django-cors-middleware==1.4.0
+django-cors-headers==3.13.0
     # via -r requirements/pip.in
 django-crispy-forms==1.14.0
     # via -r requirements/pip.in
@@ -294,7 +295,7 @@ vine==5.0.0
     #   amqp
     #   celery
     #   kombu
-virtualenv==20.17.1
+virtualenv==20.18.0
     # via -r requirements/pip.in
 wcwidth==0.2.6
     # via prompt-toolkit