class TestCorsMiddlewareProcessRequest(TestCase):
def setUp(self):
self.middleware = CorsMiddleware()
def test_process_request(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}
with settings_override(CORS_URLS_REGEX='^.*$'):
response = self.middleware.process_request(request)
self.assertIsInstance(response, HttpResponse)
def test_process_request_empty_header(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''}
with settings_override(CORS_URLS_REGEX='^.*$'):
response = self.middleware.process_request(request)
self.assertIsInstance(response, HttpResponse)
def test_process_request_no_header(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {}
response = self.middleware.process_request(request)
self.assertIsNone(response)
def test_process_request_not_options(self):
request = Mock(path='/')
request.method = 'GET'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}
response = self.middleware.process_request(request)
self.assertIsNone(response)
def setUp(self):
self.middleware = CorsMiddleware()
class TestCorsMiddlewareProcessResponse(TestCase):
def setUp(self):
self.middleware = CorsMiddleware()
def assertAccessControlAllowOriginEquals(self, response, header):
self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does "
"NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN))
self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header)
def test_process_response_no_origin(self, settings):
settings.CORS_MODEL = None
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request = Mock(path='/', META={})
processed = self.middleware.process_response(request, response)
self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)
def test_process_response_not_in_whitelist(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = False
settings.CORS_ORIGIN_WHITELIST = ['example.com']
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'})
processed = self.middleware.process_response(request, response)
self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)
def test_process_response_in_whitelist(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = False
settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it']
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'})
processed = self.middleware.process_response(request, response)
self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it')
def test_process_response_expose_headers(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = True
settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type']
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})
processed = self.middleware.process_response(request, response)
self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS],
'accept, origin, content-type')
def test_process_response_dont_expose_headers(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = True
settings.CORS_EXPOSE_HEADERS = []
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})
processed = self.middleware.process_response(request, response)
self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed)
def test_process_response_allow_credentials(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = True
settings.CORS_ALLOW_CREDENTIALS = True
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})
processed = self.middleware.process_response(request, response)
self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true')
def test_process_response_dont_allow_credentials(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = True
settings.CORS_ALLOW_CREDENTIALS = False
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})
processed = self.middleware.process_response(request, response)
self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed)
def test_process_response_options_method(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = True
settings.CORS_ALLOW_HEADERS = ['content-type', 'origin']
settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS']
settings.CORS_PREFLIGHT_MAX_AGE = 1002
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request_headers = {'HTTP_ORIGIN': 'http://example.com'}
request = Mock(path='/', META=request_headers, method='OPTIONS')
processed = self.middleware.process_response(request, response)
self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS],
'content-type, origin')
self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS')
self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002')
def test_process_response_options_method_no_max_age(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = True
settings.CORS_ALLOW_HEADERS = ['content-type', 'origin']
settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS']
settings.CORS_PREFLIGHT_MAX_AGE = 0
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request_headers = {'HTTP_ORIGIN': 'http://example.com'}
request = Mock(path='/', META=request_headers, method='OPTIONS')
processed = self.middleware.process_response(request, response)
self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS],
'content-type, origin')
self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS')
self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed)
def test_process_response_whitelist_with_port(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_ALLOW_ALL = False
settings.CORS_ALLOW_METHODS = ['OPTIONS']
settings.CORS_ORIGIN_WHITELIST = ('localhost:9000',)
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'}
request = Mock(path='/', META=request_headers, method='OPTIONS')
processed = self.middleware.process_response(request, response)
self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), 'true')
def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?google\.com$', )
settings.CORS_ALLOW_CREDENTIALS = True
settings.CORS_ORIGIN_ALLOW_ALL = False
settings.CORS_ALLOW_METHODS = ['OPTIONS']
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'}
request = Mock(path='/', META=request_headers, method='OPTIONS')
processed = self.middleware.process_response(request, response)
self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com')
def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings):
settings.CORS_MODEL = None
settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?yahoo\.com$', )
settings.CORS_ALLOW_CREDENTIALS = True
settings.CORS_ORIGIN_ALLOW_ALL = False
settings.CORS_ALLOW_METHODS = ['OPTIONS']
settings.CORS_URLS_REGEX = '^.*$'
response = HttpResponse()
request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'}
request = Mock(path='/', META=request_headers, method='OPTIONS')
processed = self.middleware.process_response(request, response)
self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None)
def test_process_response_when_custom_model_enabled(self, settings):
from corsprofiles.models import CorsModel
CorsModel.objects.create(cors='foo.google.com')
settings.CORS_ORIGIN_REGEX_WHITELIST = ()
settings.CORS_ALLOW_CREDENTIALS = False
settings.CORS_ORIGIN_ALLOW_ALL = False
settings.CORS_ALLOW_METHODS = settings.default_methods
settings.CORS_URLS_REGEX = '^.*$'
settings.CORS_MODEL = 'corsprofiles.CorsModel'
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'})
processed = self.middleware.process_response(request, response)
self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com')
