Firstly, thanks for this project.

Want to point out something that tripped me up for a good few hours tonight.

With a setting like:
CORS_ORIGIN_WHITELIST = (
'https://something.com',
'http://something.com',
)
If requests come in with an origin of something.com, they are are accepted (access-control-allow-origin set in response)
If requests come in with an origin of https://something.com or http://something.com', they are rejected (no access-control-allow-origin)

That latter behavior I was not at all expecting, as react web was sending the origin that way, and cors was getting rejected. Spent longer than I care to admit trying to find a fix, and it ended up throwing this at it and it worked:

With a setting like:
CORS_ORIGIN_WHITELIST = (
'http://something.com:',
'https://something.com:',
'http://something.com:443',
'https://something.com:80',
'something.com:443',
'something.com:80',
)

Weirdly, no two out of the above seemed to do it by itself (unless I gooned something up testing it).

Maybe this behavior is documented somewhere, but it was not intuitive to me. (Everything I found said that http:// and https:// allowed you to leave off the common ports 443 and 80.). This might not be a real bug ... but wanted to get it documented/searchable a bit to help the next person trying to find an answer. Thanks.

Are you on the latest version? Version 3 changed the behaviour to require schemes

"no two out of the above seemed to do it by itself" sounds like it's not a real bug.

I'm closing this for now but happy to investigatee if you can provide a failing test case.