chore(deps): update dependency django-cors-headers to v4

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
django-cors-headers (changelog)	==3.14.0 -> ==4.0.0

---

Release Notes

adamchainz/django-cors-headers

v4.0.0

Compare Source

• Add CORS_ALLOW_PRIVATE_NETWORK_ACCESS setting, which enables support for the Local Network Access draft specification.

  Thanks to Issac Kelly in PR #&#8203;745 <https://github.com/adamchainz/django-cors-headers/pull/745>__ and jjurgens0 in PR #&#8203;833 <https://github.com/adamchainz/django-cors-headers/pull/833>__.

• Remove three headers from the default "accept list": accept-encoding, dnt, and origin.
  These are Forbidden header names <https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name>__, which means requests JavaScript can never set them.
  Consequently, allowing them via CORS has no effect.

  Thanks to jub0bs for the report in Issue #&#8203;842 <https://github.com/adamchainz/django-cors-headers/issues/842>__.

• Drop the CORS_REPLACE_HTTPS_REFERER setting and CorsPostCsrfMiddleware.
  Since Django 1.9, the CSRF_TRUSTED_ORIGINS setting has been the preferred solution to making CSRF checks pass for CORS requests.
  The removed setting and middleware only existed as a workaround for Django versions before 1.9.

• Add async support to the middleware, reducing overhead on async views.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.