def test_process_request_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: False
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'http://foo.google.com',
}
# test that we won't replace if the request is not secure
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/')
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
# test that we won't replace with the setting off
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*'):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
# make sure the replace code is idempotent
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_view(request, None, None, None)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
post_middleware.process_request(request)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
response = post_middleware.process_request(request)
self.assertIsNone(response)
def test_process_view_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_view(request, None, None, None)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
post_middleware.process_view(request, None, None, None)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
response = post_middleware.process_view(request, None, None, None)
self.assertIsNone(response)
def test_process_view_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
with override_settings(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_view(request, None, None, None)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
with override_settings(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
post_middleware.process_view(request, None, None, None)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with override_settings(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
response = post_middleware.process_view(request, None, None, None)
self.assertIsNone(response)
def test_process_view_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = self.req_factory.get(
'/',
HTTP_FAKE_SECURE='true',
HTTP_HOST='foobar.com',
HTTP_ORIGIN='https://foo.google.com',
HTTP_REFERER='https://foo.google.com/',
)
response = self.middleware.process_view(request, None, None, None)
assert response is None
assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
post_middleware.process_view(request, None, None, None)
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = post_middleware.process_view(request, None, None, None)
assert response is None
def test_process_view_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
response = self.middleware.process_view(request, None, None, None)
assert response is None
assert request.META[
'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
post_middleware.process_view(request, None, None, None)
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = post_middleware.process_view(request, None, None, None)
assert response is None
def test_process_request_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
# make sure it doesnt blow up when HTTP_REFERER is not present
request.META = {
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
response = self.middleware.process_request(request)
assert response is None
# make sure it doesnt blow up when HTTP_HOST is not present
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_ORIGIN': 'https://foo.google.com',
}
response = self.middleware.process_request(request)
assert response is None
request.is_secure = lambda: False
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'http://foo.google.com',
}
# test that we won't replace if the request is not secure
response = self.middleware.process_request(request)
assert response is None
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'http://foo.google.com/'
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
# test that we won't replace with the setting off
with override_settings(CORS_REPLACE_HTTPS_REFERER=False):
response = self.middleware.process_request(request)
assert response is None
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = self.middleware.process_request(request)
assert response is None
assert request.META[
'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
# make sure the replace code is idempotent
response = self.middleware.process_view(request, None, None, None)
assert response is None
assert request.META[
'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
post_middleware.process_request(request)
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = post_middleware.process_request(request)
assert response is None
def test_process_request_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
# make sure it doesnt blow up when HTTP_REFERER is not present
request.META = {
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
# make sure it doesnt blow up when HTTP_HOST is not present
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_ORIGIN': 'https://foo.google.com',
}
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
request.is_secure = lambda: False
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'http://foo.google.com',
}
# test that we won't replace if the request is not secure
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/')
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
# test that we won't replace with the setting off
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*'):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
# make sure the replace code is idempotent
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_view(request, None, None, None)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
post_middleware.process_request(request)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
response = post_middleware.process_request(request)
self.assertIsNone(response)
def test_process_request_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
# make sure it doesnt blow up when HTTP_REFERER is not present
request = self.req_factory.get(
'/',
HTTP_FAKE_SECURE='true',
HTTP_HOST='foobar.com',
HTTP_ORIGIN='https://foo.google.com',
)
response = self.middleware.process_request(request)
assert response is None
# make sure it doesnt blow up when HTTP_HOST is not present
request = self.req_factory.get(
'/',
HTTP_FAKE_SECURE='true',
HTTP_ORIGIN='https://foo.google.com',
HTTP_REFERER='http://foo.google.com/',
)
response = self.middleware.process_request(request)
assert response is None
# test that we won't replace if the request is not secure
request = self.req_factory.get(
'/',
HTTP_HOST='foobar.com',
HTTP_ORIGIN='http://foo.google.com',
HTTP_REFERER='http://foo.google.com/',
)
response = self.middleware.process_request(request)
assert response is None
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'http://foo.google.com/'
# test that we won't replace with the setting off
request = self.req_factory.get(
'/',
HTTP_FAKE_SECURE='true',
HTTP_HOST='foobar.com',
HTTP_ORIGIN='https://foo.google.com',
HTTP_REFERER='https://foo.google.com/',
)
with override_settings(CORS_REPLACE_HTTPS_REFERER=False):
response = self.middleware.process_request(request)
assert response is None
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = self.middleware.process_request(request)
assert response is None
assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
# make sure the replace code is idempotent
response = self.middleware.process_view(request, None, None, None)
assert response is None
assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
post_middleware.process_request(request)
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = post_middleware.process_request(request)
assert response is None