class TestCORSMiddleware(TestCase): def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.pip = get( Project, slug='pip', users=[self.owner], privacy_level='public', ) self.domain = get(Domain, domain='my.valid.domain', project=self.pip) def test_proper_domain(self): request = self.factory.get( self.url, {'project': self.pip.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_invalid_domain(self): request = self.factory.get( self.url, {'project': self.pip.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_invalid_project(self): request = self.factory.get( self.url, {'project': 'foo'}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp)
class TestCORSMiddleware(TestCase): def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.pip = get( Project, slug='pip', users=[self.owner], privacy_level='public', ) self.domain = get(Domain, domain='my.valid.domain', project=self.pip) def test_proper_domain(self): request = self.factory.get( self.url, {'project': self.pip.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_invalid_domain(self): request = self.factory.get( self.url, {'project': self.pip.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_invalid_project(self): request = self.factory.get( self.url, {'project': 'foo'}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN)) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_MODEL = None settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type') def test_process_response_dont_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true') def test_process_response_dont_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002') def test_process_response_options_method_no_max_age(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_ORIGIN_WHITELIST = ('localhost:9000',) settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), 'true') def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?google\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?yahoo\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None) def test_process_response_when_custom_model_enabled(self, settings): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') settings.CORS_ORIGIN_REGEX_WHITELIST = () settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = settings.default_methods settings.CORS_URLS_REGEX = '^.*$' settings.CORS_MODEL = 'corsheaders.CorsModel' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com')
class TestCORSMiddleware(TestCase): def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.project = get( Project, slug='pip', users=[self.owner], privacy_level='public', mail_language_project=None ) self.subproject = get( Project, users=[self.owner], privacy_level='public', mail_language_project=None, ) self.relationship = get( ProjectRelationship, parent=self.project, child=self.subproject ) self.domain = get(Domain, domain='my.valid.domain', project=self.project) def test_proper_domain(self): request = self.factory.get( self.url, {'project': self.project.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_invalid_domain(self): request = self.factory.get( self.url, {'project': self.project.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_invalid_project(self): request = self.factory.get( self.url, {'project': 'foo'}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_valid_subproject(self): self.assertTrue( Project.objects.filter( pk=self.project.pk, subprojects__child=self.subproject ).exists() ) request = self.factory.get( self.url, {'project': self.subproject.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def test_process_response_no_origin(self): response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) assert ACCESS_CONTROL_ALLOW_ORIGIN not in processed @override_settings(CORS_ORIGIN_WHITELIST=['example.com']) def test_process_response_not_in_whitelist(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) assert ACCESS_CONTROL_ALLOW_ORIGIN not in processed @override_settings(CORS_ORIGIN_WHITELIST=['example.com', 'foobar.it']) def test_process_response_in_whitelist(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) assert processed[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' @override_settings( CORS_ORIGIN_ALLOW_ALL=True, CORS_EXPOSE_HEADERS=['accept', 'origin', 'content-type'], ) def test_process_response_expose_headers(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) assert processed[ACCESS_CONTROL_EXPOSE_HEADERS] == \ 'accept, origin, content-type' @override_settings(CORS_ORIGIN_ALLOW_ALL=True) def test_process_response_dont_expose_headers(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) assert ACCESS_CONTROL_EXPOSE_HEADERS not in processed @override_settings( CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=True, ) def test_process_response_allow_credentials(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) assert processed[ACCESS_CONTROL_ALLOW_CREDENTIALS] == 'true' @override_settings(CORS_ORIGIN_ALLOW_ALL=True) def test_process_response_dont_allow_credentials(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) assert ACCESS_CONTROL_ALLOW_CREDENTIALS not in processed @override_settings( CORS_ALLOW_HEADERS=['content-type', 'origin'], CORS_ALLOW_METHODS=['GET', 'OPTIONS'], CORS_PREFLIGHT_MAX_AGE=1002, CORS_ORIGIN_ALLOW_ALL=True, ) def test_process_response_options_method(self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed[ ACCESS_CONTROL_ALLOW_HEADERS] == 'content-type, origin' assert processed[ACCESS_CONTROL_ALLOW_METHODS] == 'GET, OPTIONS' assert processed[ACCESS_CONTROL_MAX_AGE] == '1002' @override_settings( CORS_ALLOW_HEADERS=['content-type', 'origin'], CORS_ALLOW_METHODS=['GET', 'OPTIONS'], CORS_PREFLIGHT_MAX_AGE=0, CORS_ORIGIN_ALLOW_ALL=True, ) def test_process_response_options_method_no_max_age(self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed[ACCESS_CONTROL_ALLOW_HEADERS] == \ 'content-type, origin' assert processed[ACCESS_CONTROL_ALLOW_METHODS] == 'GET, OPTIONS' assert ACCESS_CONTROL_MAX_AGE not in processed @override_settings( CORS_ALLOW_METHODS=['OPTIONS'], CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_WHITELIST=('localhost:9000', ), ) def test_process_response_whitelist_with_port(self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None) == 'true' @override_settings( CORS_ALLOW_METHODS=['OPTIONS'], CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_REGEX_WHITELIST=('^http?://(\w+\.)?google\.com$', ), ) def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist( self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None) == 'http://foo.google.com' @override_settings( CORS_ALLOW_METHODS=['OPTIONS'], CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_REGEX_WHITELIST=('^http?://(\w+\.)?yahoo\.com$', ), ) def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist( self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None) is None @override_settings(CORS_MODEL='corsheaders.CorsModel') def test_process_response_when_custom_model_enabled(self): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) assert processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None) == 'http://foo.google.com' @override_settings( CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=True, ) def test_middleware_integration_get(self): response = self.client.get('/test-view/', HTTP_ORIGIN='http://foobar.it') assert response.status_code == 200 assert response[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' @override_settings( CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=True, ) def test_middleware_integration_get_auth_view(self): """ It's not clear whether the header should still be set for non-HTTP200 when not a preflight request. However this is the existing behaviour for django-cors-middleware, so at least this test makes that explicit, especially since for the switch to Django 1.10, special-handling will need to be put in place to preserve this behaviour. See `ExceptionMiddleware` mention here: https://docs.djangoproject.com/en/1.10/topics/http/middleware/#upgrading-pre-django-1-10-style-middleware """ response = self.client.get('/test-view-http401/', HTTP_ORIGIN='http://foobar.it') assert response.status_code == 401 assert response[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' @override_settings( CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=True, ) def test_middleware_integration_preflight_auth_view(self): """ Ensure HTTP200 and header still set, for preflight requests to views requiring authentication. See: https://github.com/ottoyiu/django-cors-headers/issues/3 """ response = self.client.options( '/test-view-http401/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value') assert response.status_code == 200 assert response[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' def test_signal_that_returns_false(self): def handler(*args, **kwargs): return False check_request_enabled.connect(handler) resp = self.client.options( '/test-view/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) assert resp.status_code == 200 assert ACCESS_CONTROL_ALLOW_ORIGIN not in resp def test_signal_that_returns_true(self): def handler(*args, **kwargs): return True check_request_enabled.connect(handler) resp = self.client.options( '/test-view/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) assert resp.status_code == 200 assert resp[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' @override_settings(CORS_ORIGIN_WHITELIST=['example.com']) def test_signal_allow_some_urls_to_everyone(self): def allow_api_to_all(sender, request, **kwargs): return request.path.startswith('/api/') check_request_enabled.connect(allow_api_to_all) resp = self.client.options( '/test-view/', HTTP_ORIGIN='http://example.org', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) assert resp.status_code == 200 assert ACCESS_CONTROL_ALLOW_ORIGIN not in resp resp = self.client.options( '/api/something/', HTTP_ORIGIN='http://example.org', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) assert resp.status_code == 200 assert resp[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://example.org'
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN)) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_expose_headers(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type') def test_process_response_dont_expose_headers(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true') def test_process_response_dont_allow_credentials(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002') def test_process_response_options_method_no_max_age(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_ORIGIN_WHITELIST = ('localhost:9000',) settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS), 'true') def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings): settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?google\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN), 'http://foo.google.com') def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings): settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?yahoo\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN), None)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN)) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_MODEL = None settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_signal_works(self, settings): def handler(sender, request, **kwargs): return True settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' signals.check_request_enabled.connect(handler) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type') def test_process_response_dont_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true') def test_process_response_dont_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002') def test_process_response_options_method_no_max_age(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_ORIGIN_WHITELIST = ('localhost:9000',) settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), 'true') def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?google\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?yahoo\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None) def test_process_response_when_custom_model_enabled(self, settings): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') settings.CORS_ORIGIN_REGEX_WHITELIST = () settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = settings.default_methods settings.CORS_URLS_REGEX = '^.*$' settings.CORS_MODEL = 'corsheaders.CorsModel' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_in_allow_all_path(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$',) response = HttpResponse() request = Mock(path='/api/data', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_not_in_allow_all_path(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$',) response = HttpResponse() request = Mock(path='/data', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_middleware_integration_get(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.get('/test-view/', HTTP_ORIGIN='http://foobar.it') self.assertEqual(response.status_code, 200) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it') def test_middleware_integration_get_auth_view(self, settings): """ It's not clear whether the header should still be set for non-HTTP200 when not a preflight request. However this is the existing behaviour for django-cors-middleware, so at least this test makes that explicit, especially since for the switch to Django 1.10, special-handling will need to be put in place to preserve this behaviour. See `ExceptionMiddleware` mention here: https://docs.djangoproject.com/en/1.10/topics/http/middleware/#upgrading-pre-django-1-10-style-middleware """ settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.get('/test-view-http401/', HTTP_ORIGIN='http://foobar.it') self.assertEqual(response.status_code, 401) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it') def test_middleware_integration_preflight_auth_view(self, settings): """ Ensure HTTP200 and header still set, for preflight requests to views requiring authentication. See: https://github.com/ottoyiu/django-cors-headers/issues/3 """ settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.options('/test-view-http401/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value') self.assertEqual(response.status_code, 200) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it')
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn( ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN)) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_MODEL = None settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_signal_works(self, settings): def handler(sender, request, **kwargs): return True settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' signals.check_request_enabled.connect(handler) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type') def test_process_response_dont_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true') def test_process_response_dont_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002') def test_process_response_options_method_no_max_age(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_ORIGIN_WHITELIST = ('localhost:9000', ) settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), 'true') def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist( self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ( '^http?://(\w+\.)?google\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist( self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ( '^http?://(\w+\.)?yahoo\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None) def test_process_response_when_custom_model_enabled(self, settings): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') settings.CORS_ORIGIN_REGEX_WHITELIST = () settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = settings.default_methods settings.CORS_URLS_REGEX = '^.*$' settings.CORS_MODEL = 'corsheaders.CorsModel' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_in_allow_all_path(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$', ) response = HttpResponse() request = Mock(path='/api/data', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_not_in_allow_all_path(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$', ) response = HttpResponse() request = Mock(path='/data', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_middleware_integration_get(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.get('/test-view/', HTTP_ORIGIN='http://foobar.it') self.assertEqual(response.status_code, 200) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it') def test_middleware_integration_options(self, settings): settings.CORS_MODEL = None settings.CORS_URLS_REGEX = '^.*$' settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = True response = self.client.options( '/test-view/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) self.assertEqual(response.status_code, 200) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], 'http://foobar.it') self.assertEqual(response['Vary'], 'Origin') def test_middleware_integration_get_auth_view(self, settings): """ It's not clear whether the header should still be set for non-HTTP200 when not a preflight request. However this is the existing behaviour for django-cors-middleware, so at least this test makes that explicit, especially since for the switch to Django 1.10, special-handling will need to be put in place to preserve this behaviour. See `ExceptionMiddleware` mention here: https://docs.djangoproject.com/en/1.10/topics/http/middleware/#upgrading-pre-django-1-10-style-middleware """ settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.get('/test-view-http401/', HTTP_ORIGIN='http://foobar.it') self.assertEqual(response.status_code, 401) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it') def test_middleware_integration_preflight_auth_view(self, settings): """ Ensure HTTP200 and header still set, for preflight requests to views requiring authentication. See: https://github.com/ottoyiu/django-cors-headers/issues/3 """ settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.options( '/test-view-http401/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value') self.assertEqual(response.status_code, 200) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it')
class TestCORSMiddleware(TestCase): def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.project = get( Project, slug='pip', users=[self.owner], privacy_level=PUBLIC, main_language_project=None, ) self.project.versions.update(privacy_level=PUBLIC) self.version = self.project.versions.get(slug=LATEST) self.subproject = get( Project, users=[self.owner], privacy_level=PUBLIC, main_language_project=None, ) self.subproject.versions.update(privacy_level=PUBLIC) self.version_subproject = self.subproject.versions.get(slug=LATEST) self.relationship = get( ProjectRelationship, parent=self.project, child=self.subproject, ) self.domain = get( Domain, domain='my.valid.domain', project=self.project, ) self.another_project = get( Project, privacy_level=PUBLIC, slug='another', ) self.another_project.versions.update(privacy_level=PUBLIC) self.another_version = self.another_project.versions.get(slug=LATEST) self.another_domain = get( Domain, domain='another.valid.domain', project=self.another_project, ) def test_allow_linked_domain_from_public_version(self): request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_dont_allow_linked_domain_from_private_version(self): self.version.privacy_level = PRIVATE self.version.save() request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_allowed_api_public_version_from_another_domain(self): request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://docs.another.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://another.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_not_allowed_api_private_version_from_another_domain(self): self.version.privacy_level = PRIVATE self.version.save() request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://docs.another.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://another.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_valid_subproject(self): self.assertTrue( Project.objects.filter( pk=self.project.pk, subprojects__child=self.subproject, ).exists(), ) request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_embed_api_private_version_linked_domain(self): self.version.privacy_level = PRIVATE self.version.save() request = self.factory.get( '/api/v2/embed/', {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) @mock.patch('readthedocs.core.signals._has_donate_app') def test_sustainability_endpoint_allways_allowed(self, has_donate_app): has_donate_app.return_value = True request = self.factory.get( '/api/v2/sustainability/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) request = self.factory.get( '/api/v2/sustainability/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) @mock.patch('readthedocs.core.signals._has_donate_app') def test_sustainability_endpoint_no_ext(self, has_donate_app): has_donate_app.return_value = False request = self.factory.get( '/api/v2/sustainability/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) request = self.factory.get( '/api/v2/sustainability/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_apiv2_endpoint_not_allowed(self): request = self.factory.get( '/api/v2/version/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) # This also doesn't work on registered domains. request = self.factory.get( '/api/v2/version/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) # Or from our public domain. request = self.factory.get( '/api/v2/version/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://docs.readthedocs.io/', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) # POST is not allowed request = self.factory.post( '/api/v2/version/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn( ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN), ) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ["example.com"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://foobar.it"}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ["example.com", "foobar.it"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://foobar.it"}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, "http://foobar.it") def test_process_response_expose_headers(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ["accept", "origin", "content-type"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://example.com"}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], "accept, origin, content-type") def test_process_response_dont_expose_headers(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://example.com"}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://example.com"}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], "true") def test_process_response_dont_allow_credentials(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://example.com"}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ["content-type", "origin"] settings.CORS_ALLOW_METHODS = ["GET", "OPTIONS"] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://example.com"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], "content-type, origin") self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], "GET, OPTIONS") self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], "1002") def test_process_response_options_method_no_max_age(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ["content-type", "origin"] settings.CORS_ALLOW_METHODS = ["GET", "OPTIONS"] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://example.com"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], "content-type, origin") self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], "GET, OPTIONS") self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ["OPTIONS"] settings.CORS_ORIGIN_WHITELIST = ("localhost:9000",) settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://localhost:9000"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS), "true") def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings): settings.CORS_ORIGIN_REGEX_WHITELIST = ("^http?://(\w+\.)?google\.com$",) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ["OPTIONS"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://foo.google.com"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN), "http://foo.google.com") def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings): settings.CORS_ORIGIN_REGEX_WHITELIST = ("^http?://(\w+\.)?yahoo\.com$",) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ["OPTIONS"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://foo.google.com"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN), None)
class RequestStartedMiddleware(MiddlewareMixin): def process_request(self, request): pretty = True if 'HTTP_X_CSAPI_PRETTY' in request.META and request.META['HTTP_X_CSAPI_PRETTY'].lower() in ['true', 'on', '1' ] else False request.META = request.META.copy() request.META['HTTP_X_CSAPI_PRETTY'] = pretty try: view_func = resolve(request.META['PATH_INFO'])[0] app_label = view_func.__module__.rsplit('.', 1)[1] view_name = view_func.__name__ methods = settings.ALLOW_EXPOSE_CORS_DATA[app_label][view_name]['METHODS'] if methods: if getattr(request, "_CorsMiddleware", False) is False: self._CorsMiddleware = CorsMiddleware() response = self._CorsMiddleware.process_request(request) if response and request.method == "OPTIONS": response = self._CorsMiddleware.process_response(request, response) response[ACCESS_CONTROL_ALLOW_METHODS] = ", ".join(methods) try: headers = settings.ALLOW_EXPOSE_CORS_DATA[app_label][view_name]['EXPOSE_HEADERS'] if headers: response[ACCESS_CONTROL_EXPOSE_HEADERS] = ", ".join(headers) except Exception as e: raise e try: headers = settings.ALLOW_EXPOSE_CORS_DATA[app_label][view_name]['ALLOW_HEADERS'] if headers: response[ACCESS_CONTROL_ALLOW_HEADERS] = ", ".join(headers) except Exception as e: raise e response[ACCESS_CONTROL_ALLOW_HEADERS] = '*' response[ACCESS_CONTROL_EXPOSE_HEADERS] = [] setattr(request, "_cors_enabled", False) return response except Exception as e: raise e request.META['_time'] = time.time() """ """ req_key = 'HTTP_X_CSAPI_REQUEST_URL' req_val = None url = request.META[req_key] if req_key in request.META else None req_val = ConsoleAPI.Filter_Request_Url(url) request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_AUTHORIZATION' req_val = request.META[req_key] if req_key in request.META else None if req_val: req_val = str(req_val) request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_COOKIE' req_val = request.META[req_key] if req_key in request.META else None if req_val: req_val = str(req_val) request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_DEBUG' req_val = request.META[req_key] if req_key in request.META else None req_val = True if req_val in ['true', 'on', '1', 'yes' ] else False request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_FOLLOW_REDIRECTION' req_val = request.META[req_key] if req_key in request.META else None req_val = True if req_val in ['true', 'on', '1', 'yes' ] else False request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_HTTP_VERSION' req_val = request.META[req_key] if req_key in request.META else None req_val = 1.0 if req_val in ['1', '1.0'] else ( 1.1 if req_val in ['1.1'] else 2.0 if req_val in ['2', '2.0'] else "2P" if req_val in ['2p', '2P'] else 1.1) request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_IPV6' req_val = request.META[req_key] if req_key in request.META else None req_val = 6 if req_val in ['6'] else 4 request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_PRETTY' req_val = request.META[req_key] if req_key in request.META else None req_val = True if req_val in ['true', 'on', '1', 'yes' ] else False request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_REFERER' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_PROXY' req_val = request.META[req_key] if req_key in request.META else None if req_val: pu = urlparse(req_val) scheme = pu.scheme netloc = pu.netloc if not netloc: req_val = None else: scheme = 'https' if 'https' in scheme else ('http1.0' if 'http1.0' in scheme else ('http' if 'http' in scheme else ('socks4a' if 'socks4a' in scheme else ('socks4' if 'socks4' in scheme else ('socks5' if 'socks5' in scheme else 'socks5_hostname' if 'socks5_hostname' in scheme else 'http'))))) netlocs = netloc.rsplit("@") userpass = netlocs[0] if len(netlocs)>1 else None netloc = netlocs[1] if len(netlocs)>1 else netlocs[0] netlocs = netloc.rsplit(":") netloc = netlocs[0] port = netlocs[1] if len(netlocs)>1 else None username = None password = None if userpass: userpasss = userpass.split(":") username = userpasss[0] password = userpasss[1] if len(userpasss[0])>1 else None req_val = {'ip':netloc, 'port':port, 'scheme':scheme, 'username':username, 'password':password} request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_SSL_VERIFIER' req_val = request.META[req_key] if req_key in request.META else None req_val = True if req_val in ['true', 'on', '1', 'yes' ] else False request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_USER_AGENT' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_ACCEPT_LANGUAGE' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_ACCEPT_ENCODING' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_ACCEPT' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_TIMEOUT' req_val = request.META[req_key] if req_key in request.META else None if req_val: try: req_val = int(req_val) req_val = 60 if req_val >60 else req_val except Exception as e: req_val = 60 request.META[req_key] = req_val """ Extra Headers """ req_key = 'HTTP_X_CSAPI_XHEADERS' req_val = [] for meta in request.META: xmatch = re.match(r'^(HTTP_X_CSAPI_(.*))', meta) if xmatch: xmkey = xmatch.group(2) if xmkey not in ['XHEADERS', 'TIMEOUT', 'SSL_VERIFIER', 'USER_AGENT', 'REQUEST_URL', 'PROXY', 'REFERER', 'PRETTY', 'IPV6', 'HTTP_VERSION', 'FOLLOW_REDIRECTION', 'DEBUG', 'ACCEPT', 'ACCEPT_ENCODING', 'ACCEPT_LANGUAGE']: req_val.append({ xmkey.lower().replace('_', '-').title() :request.META[ xmatch.group(0)]}) request.META[req_key] = req_val print(request.META['HTTP_X_CSAPI_XHEADERS']) print(request.META['HTTP_X_CSAPI_TIMEOUT']) print(request.META['HTTP_X_CSAPI_SSL_VERIFIER']) print(request.META['HTTP_X_CSAPI_PROXY']) print(request.META['HTTP_X_CSAPI_PRETTY']) print(request.META['HTTP_X_CSAPI_IPV6']) print(request.META['HTTP_X_CSAPI_HTTP_VERSION']) print(request.META['HTTP_X_CSAPI_DEBUG']) print(request.META['HTTP_X_CSAPI_FOLLOW_REDIRECTION']) print(request.META['HTTP_X_CSAPI_COOKIE']) print(request.META['HTTP_X_CSAPI_AUTHORIZATION']) print(request.META['HTTP_X_CSAPI_COOKIE']) print(request.META['HTTP_X_CSAPI_REQUEST_URL']) print(request.META['HTTP_X_CSAPI_USER_AGENT']) print(request.META['HTTP_X_CSAPI_ACCEPT_LANGUAGE']) print(request.META['HTTP_X_CSAPI_ACCEPT_ENCODING']) print(request.META['HTTP_X_CSAPI_ACCEPT']) return None