def test_cors_allow_methods(self, number, data):
resp = self.options(self.USER_API_URL,
headers={'HTTP_ORIGIN': FOO_DOMAIN})
assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')),
{'OPTIONS'})
resp = self.options(self.USER_API_URL,
headers={
'HTTP_ORIGIN': FOO_DOMAIN,
'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'GET'
})
assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')),
{'GET'})
resp = self.options(self.USER_API_URL,
headers={'HTTP_ORIGIN': BAR_DOMAIN})
assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')),
{'OPTIONS'})
resp = self.options(self.USER_API_URL,
headers={
'HTTP_ORIGIN': BAR_DOMAIN,
'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'POST'
})
assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')),
{'POST'})
resp = self.options(self.USER_API_URL)
assert_false(ACCESS_CONTROL_ALLOW_METHODS in resp)
def test_cors_allow_headers(self, number, data):
resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN})
assert_equal(resp[ACCESS_CONTROL_ALLOW_HEADERS],
', '.join(('X-Base', 'X-Offset', 'X-Fields', 'Origin', 'Content-Type', 'Accept')))
resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN})
assert_equal(resp[ACCESS_CONTROL_ALLOW_HEADERS],
', '.join(('X-Base', 'X-Offset', 'X-Fields', 'Origin', 'Content-Type', 'Accept')))
resp = self.options(self.USER_API_URL)
assert_false(ACCESS_CONTROL_ALLOW_HEADERS in resp)
def test_option_with_turned_on_cors_headers_is_included_with_valid_origin(
self, number, data):
resp = self.options(self.USER_API_URL)
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
assert_true(resp.has_header(ACCESS_CONTROL_MAX_AGE))
resp = self.options(self.USER_API_URL,
headers={'HTTP_ORIGIN': FOO_DOMAIN})
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
assert_true(resp.has_header(ACCESS_CONTROL_MAX_AGE))
resp = self.options(self.USER_API_URL,
headers={'HTTP_ORIGIN': BAR_DOMAIN})
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
def test_with_turned_on_cors_headers_is_included_with_valid_origin(self, number, data):
resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN})
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
assert_true(resp.has_header(ACCESS_CONTROL_MAX_AGE))
resp = self.get(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN})
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
assert_true(resp.has_header(ACCESS_CONTROL_MAX_AGE))
def test_cors_allow_methods(self, number, data):
resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN})
assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'OPTIONS'})
resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN,
'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'GET'})
assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'GET'})
resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN})
assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'OPTIONS'})
resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN,
'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'POST'})
assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'POST'})
resp = self.options(self.USER_API_URL)
assert_false(ACCESS_CONTROL_ALLOW_METHODS in resp)
def test_cors_allow_headers(self, number, data):
resp = self.options(self.USER_API_URL,
headers={'HTTP_ORIGIN': FOO_DOMAIN})
assert_equal(
resp[ACCESS_CONTROL_ALLOW_HEADERS], ', '.join(
('X-Base', 'X-Offset', 'X-Fields', 'Origin', 'Content-Type',
'Accept')))
resp = self.options(self.USER_API_URL,
headers={'HTTP_ORIGIN': BAR_DOMAIN})
assert_equal(
resp[ACCESS_CONTROL_ALLOW_HEADERS], ', '.join(
('X-Base', 'X-Offset', 'X-Fields', 'Origin', 'Content-Type',
'Accept')))
resp = self.options(self.USER_API_URL)
assert_false(ACCESS_CONTROL_ALLOW_HEADERS in resp)
def test_with_turned_off_cors_headers_is_not_included(self, number, data):
resp = self.options(self.USER_API_URL)
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_false(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
assert_false(resp.has_header(ACCESS_CONTROL_MAX_AGE))
resp = self.get(self.USER_API_URL)
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_false(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
assert_false(resp.has_header(ACCESS_CONTROL_MAX_AGE))
def test_with_turned_off_cors_headers_is_not_included(self, number, data):
resp = self.options(self.USER_API_URL)
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_false(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
assert_false(resp.has_header(ACCESS_CONTROL_MAX_AGE))
resp = self.get(self.USER_API_URL)
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN))
assert_false(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS))
assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
assert_false(resp.has_header(ACCESS_CONTROL_MAX_AGE))