Merge branch 'dispatch-dpop' into 'master'

update: configurable CORS headers, default includes DPoP

See merge request djangoldp-packages/djangoldp!212

djangoldp/conf/default_settings.py

@@ -134,6 +134,8 @@ DCS_SESSION_COOKIE_SAMESITE = 'none'
 
 AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.ModelBackend', 'guardian.backends.ObjectPermissionBackend']
 
+OIDC_ACCESS_CONTROL_ALLOW_HEADERS = 'Content-Type, if-match, accept, authorization, DPoP'
+
 # The minimum number of seconds a password reset link is valid for
 PASSWORD_RESET_TIMEOUT = 60 * 60 * 24 * 3
 

djangoldp/views.py

@@ -606,7 +606,9 @@ class LDPViewSet(LDPViewSetGenerator):
         response = super(LDPViewSet, self).dispatch(request, *args, **kwargs)
         response["Access-Control-Allow-Origin"] = request.META.get('HTTP_ORIGIN')
         response["Access-Control-Allow-Methods"] = "GET,POST,PUT,PATCH,DELETE"
-        response["Access-Control-Allow-Headers"] = "authorization, Content-Type, if-match, accept, sentry-trace"
+        response["Access-Control-Allow-Headers"] = \
+            getattr(settings, 'OIDC_ACCESS_CONTROL_ALLOW_HEADERS',
+                    "authorization, Content-Type, if-match, accept, DPoP")
         response["Access-Control-Expose-Headers"] = "Location, User"
         response["Access-Control-Allow-Credentials"] = 'true'
         response["Accept-Post"] = "application/ld+json"