Example #1
0
    def test_response_exempt(self):
        """
        If the response has an xframe_options_exempt attribute set to False
        then it still sets the header, but if it's set to True then it doesn't.
        """
        with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
            response = HttpResponse()
            response.xframe_options_exempt = False
            r = XFrameOptionsMiddleware().process_response(HttpRequest(), response)
            self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')

            response = HttpResponse()
            response.xframe_options_exempt = True
            r = XFrameOptionsMiddleware().process_response(HttpRequest(), response)
            self.assertIsNone(r.get('X-Frame-Options'))
Example #2
0
    def test_response_exempt(self):
        """
        Tests that if the response has a xframe_options_exempt attribute set
        to False then it still sets the header, but if it's set to True then
        it does not.
        """
        with override_settings(X_FRAME_OPTIONS="SAMEORIGIN"):
            response = HttpResponse()
            response.xframe_options_exempt = False
            r = XFrameOptionsMiddleware().process_response(HttpRequest(), response)
            self.assertEqual(r["X-Frame-Options"], "SAMEORIGIN")

            response = HttpResponse()
            response.xframe_options_exempt = True
            r = XFrameOptionsMiddleware().process_response(HttpRequest(), response)
            self.assertEqual(r.get("X-Frame-Options", None), None)
Example #3
0
    def test_exempt_decorator(self):
        """
        Ensures @xframe_options_exempt properly instructs the
        XFrameOptionsMiddleware to NOT set the header.
        """
        @xframe_options_exempt
        def a_view(request):
            return HttpResponse()
        req = HttpRequest()
        resp = a_view(req)
        self.assertIsNone(resp.get('X-Frame-Options', None))
        self.assertTrue(resp.xframe_options_exempt)

        # Since the real purpose of the exempt decorator is to suppress
        # the middleware's functionality, let's make sure it actually works...
        r = XFrameOptionsMiddleware().process_response(req, resp)
        self.assertIsNone(r.get('X-Frame-Options', None))
Example #4
0
    def test_response_exempt(self):
        """
        Tests that if the response has a xframe_options_exempt attribute set
        to False then it still sets the header, but if it's set to True then
        it does not.
        """
        settings.X_FRAME_OPTIONS = 'SAMEORIGIN'
        response = HttpResponse()
        response.xframe_options_exempt = False
        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
                                                       response)
        self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')

        response = HttpResponse()
        response.xframe_options_exempt = True
        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
                                                       response)
        self.assertEqual(r.get('X-Frame-Options', None), None)
Example #5
0
    def test_exempt_decorator(self):
        """
        Ensures @xframe_options_exempt properly instructs the
        XFrameOptionsMiddleware to NOT set the header.
        """
        @xframe_options_exempt
        def a_view(request):
            return HttpResponse()

        req = HttpRequest()
        resp = a_view(req)
        self.assertIsNone(resp.get('X-Frame-Options', None))
        self.assertTrue(resp.xframe_options_exempt)

        # Since the real purpose of the exempt decorator is to suppress
        # the middleware's functionality, let's make sure it actually works...
        r = XFrameOptionsMiddleware().process_response(req, resp)
        self.assertIsNone(r.get('X-Frame-Options', None))
Example #6
0
    def test_response_exempt(self):
        """
        Tests that if the response has a xframe_options_exempt attribute set
        to False then it still sets the header, but if it's set to True then
        it does not.
        """
        with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
            response = HttpResponse()
            response.xframe_options_exempt = False
            r = XFrameOptionsMiddleware().process_response(
                HttpRequest(), response)
            self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')

            response = HttpResponse()
            response.xframe_options_exempt = True
            r = XFrameOptionsMiddleware().process_response(
                HttpRequest(), response)
            self.assertEqual(r.get('X-Frame-Options', None), None)
Example #7
0
    def test_dont_set_if_set(self):
        """
        Tests that if the X-Frame-Options header is already set then the
        middleware does not attempt to override it.
        """
        with override_settings(X_FRAME_OPTIONS='DENY'):
            response = HttpResponse()
            response['X-Frame-Options'] = 'SAMEORIGIN'
            r = XFrameOptionsMiddleware().process_response(
                HttpRequest(), response)
            self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')

        with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
            response = HttpResponse()
            response['X-Frame-Options'] = 'DENY'
            r = XFrameOptionsMiddleware().process_response(
                HttpRequest(), response)
            self.assertEqual(r['X-Frame-Options'], 'DENY')
Example #8
0
 def test_defaults_sameorigin(self):
     """
     If the X_FRAME_OPTIONS setting is not set then it defaults to
     DENY.
     """
     with override_settings(X_FRAME_OPTIONS=None):
         del settings.X_FRAME_OPTIONS  # restored by override_settings
         r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
         self.assertEqual(r.headers["X-Frame-Options"], "DENY")
Example #9
0
 def test_defaults_sameorigin(self):
     """
     If the X_FRAME_OPTIONS setting is not set then it defaults to
     SAMEORIGIN.
     """
     with override_settings(X_FRAME_OPTIONS=None):
         del settings.X_FRAME_OPTIONS    # restored by override_settings
         r = XFrameOptionsMiddleware().process_response(HttpRequest(), HttpResponse())
         self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
Example #10
0
File: tests.py Project: ximi/django
 def test_defaults_sameorigin(self):
     """
     Tests that if the X_FRAME_OPTIONS setting is not set then it defaults
     to SAMEORIGIN.
     """
     del settings.X_FRAME_OPTIONS
     r = XFrameOptionsMiddleware().process_response(HttpRequest(),
                                                    HttpResponse())
     self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
Example #11
0
    def test_response_exempt(self):
        """
        If the response has an xframe_options_exempt attribute set to False
        then it still sets the header, but if it's set to True then it doesn't.
        """
        def xframe_exempt_response(request):
            response = HttpResponse()
            response.xframe_options_exempt = True
            return response

        def xframe_not_exempt_response(request):
            response = HttpResponse()
            response.xframe_options_exempt = False
            return response

        with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
            r = XFrameOptionsMiddleware(xframe_not_exempt_response)(HttpRequest())
            self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')

            r = XFrameOptionsMiddleware(xframe_exempt_response)(HttpRequest())
            self.assertIsNone(r.headers.get('X-Frame-Options'))
Example #12
0
    def test_dont_set_if_set(self):
        """
        If the X-Frame-Options header is already set then the middleware does
        not attempt to override it.
        """
        def same_origin_response(request):
            response = HttpResponse()
            response.headers['X-Frame-Options'] = 'SAMEORIGIN'
            return response

        def deny_response(request):
            response = HttpResponse()
            response.headers['X-Frame-Options'] = 'DENY'
            return response

        with override_settings(X_FRAME_OPTIONS='DENY'):
            r = XFrameOptionsMiddleware(same_origin_response)(HttpRequest())
            self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')

        with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
            r = XFrameOptionsMiddleware(deny_response)(HttpRequest())
            self.assertEqual(r.headers['X-Frame-Options'], 'DENY')