def _ensure_cors_preflight_request_allowed(self):
assert self.request_cors_request_type \
== _cors.CorsRequestType('preflight')
self._ensure_request_origin_allowed()
origin = self.request_origin
affordances = self.request_cors_affordances
preflight_requested_method = \
self.request.headers['Access-Control-Request-Method']
if preflight_requested_method not in affordances.methods:
raise _exc.CorsMethodForbidden\
(self.request_resource, origin, preflight_requested_method,
cors_request_type=_cors.CorsRequestType('preflight'),
affordances=affordances)
try:
preflight_requested_headers = \
[part.strip()
for part
in self.request
.headers['Access-Control-Request-Headers']
.split(',')]
except KeyError:
preflight_requested_headers = ()
allowed_requested_headers = _oset()
forbidden_requested_headers = _oset()
for header in preflight_requested_headers:
if header in affordances.request_headers:
allowed_requested_headers.add(header)
else:
forbidden_requested_headers.add(header)
if forbidden_requested_headers:
raise _exc.CorsHeadersForbidden\
(self.request_resource, origin, forbidden_requested_headers,
cors_request_type=_cors.CorsRequestType('preflight'),
affordances=affordances)
self.set_header('Access-Control-Allow-Origin', origin)
if self.request.path in self.service.auth_spaces:
self.set_header('Access-Control-Allow-Credentials', 'true')
if affordances.client_preflight_cache_lifespan is not None:
self.set_header('Access-Control-Max-Age',
affordances.client_preflight_cache_lifespan
.total_seconds())
self.set_header('Access-Control-Allow-Methods',
', '.join(affordances.methods
& set(self.SUPPORTED_METHODS)))
if allowed_requested_headers:
self.set_header('Access-Control-Allow-Headers',
', '.join(allowed_requested_headers))
def _ensure_cors_actual_request_allowed(self):
assert self.request_cors_request_type \
== _cors.CorsRequestType('actual')
self._ensure_request_origin_allowed()
origin = self.request_origin
affordances = self.request_cors_affordances
request_httpmethod = self.request.method.lower()
if request_httpmethod not in affordances.methods:
raise _exc.CorsMethodForbidden(self.request_resource,
origin,
self.request.httpmethod,
cors_request_type=
_cors.CorsRequestType('actual'),
affordances=affordances)
forbidden_request_headers = _oset(self.request.headers.keys()) \
- affordances.request_headers
if forbidden_request_headers:
raise _exc.CorsHeadersForbidden\
(self.request_resource, origin, forbidden_request_headers,
cors_request_type=_cors.CorsRequestType('actual'),
affordances=affordances)
self.set_header('Access-Control-Allow-Origin', self.request_origin)
if self.request.path in self.service.auth_spaces:
self.set_header('Access-Control-Allow-Credentials', 'true')
if affordances.exposed_response_headers.isfinite:
self.set_header('Access-Control-Expose-Headers',
affordances.exposed_response_headers)
else:
self.cors_expose_all_response_headers = True