def test_cors_adds_allow_origin_header_for_non_preflight(): request = Request.blank("/") resp = request.get_response(wsgi_testapp) set_cors_headers(request, resp) assert resp.headers["Access-Control-Allow-Origin"] == "*"
def test_cors_400s_for_preflight_without_reqmethod(headers): del headers["Access-Control-Request-Method"] request = Request.blank("/", method="OPTIONS", headers=headers) resp = request.get_response(wsgi_testapp) with pytest.raises(HTTPBadRequest): set_cors_headers(request, resp)
def test_cors_sets_allow_credentials_for_preflight_when_set(headers): request = Request.blank("/", method="OPTIONS", headers=headers) resp = request.get_response(wsgi_testapp) resp = set_cors_headers(request, resp, allow_credentials=True) assert resp.headers["Access-Control-Allow-Credentials"] == "true"
def test_cors_sets_allow_methods_OPTIONS_for_preflight(headers): # noqa request = Request.blank("/", method="OPTIONS", headers=headers) resp = request.get_response(wsgi_testapp) resp = set_cors_headers(request, resp) assert resp.headers["Access-Control-Allow-Methods"] == "OPTIONS"
def test_cors_sets_allow_origin_for_preflight(headers): request = Request.blank("/", method="OPTIONS", headers=headers) resp = request.get_response(wsgi_testapp) resp = set_cors_headers(request, resp) assert resp.headers["Access-Control-Allow-Origin"] == "http://example.com"
def test_cors_sets_max_age_for_preflight_when_set(headers): request = Request.blank("/", method="OPTIONS", headers=headers) resp = request.get_response(wsgi_testapp) resp = set_cors_headers(request, resp, max_age=42) assert resp.headers["Access-Control-Max-Age"] == "42"
def test_cors_sets_allow_headers_for_preflight_when_set(headers): request = Request.blank("/", method="OPTIONS", headers=headers) resp = request.get_response(wsgi_testapp) resp = set_cors_headers(request, resp, allow_headers=("Foo", "X-Bar")) values = resp.headers["Access-Control-Allow-Headers"].split(", ") assert sorted(values) == ["Foo", "X-Bar"]
def test_cors_sets_allow_methods_for_preflight(headers): request = Request.blank("/", method="OPTIONS", headers=headers) resp = request.get_response(wsgi_testapp) resp = set_cors_headers(request, resp, allow_methods=("PUT", "DELETE")) values = resp.headers["Access-Control-Allow-Methods"].split(", ") assert sorted(values) == ["DELETE", "OPTIONS", "PUT"]
def test_cors_passes_through_non_preflight(): request = Request.blank("/") resp = request.get_response(wsgi_testapp) resp = set_cors_headers(request, resp) assert resp.body == "OK" assert resp.status_code == 200
def test_cors_does_nothing_if_already_processing_an_exception_view(headers): # Normally when a Pyramid view or view decorator raises an exception # Pyramid searches for a matching exception view and invokes it - # exception views "catch" exceptions raised during view processing. # # But if an *exception view* or a view decorator applied to an exception # view raises an exeption then Pyramid just crashes. Exception views can't # catch exceptions raised by exception views as that could create an # infinite loop. # # So the set_cors_headers() function, which is part of the cors_policy view # decorator, can't raise exception when it's being used to decorate an # exception view or Pyramid will crash. request = Request.blank("/", method="OPTIONS", headers=headers) request.exception = HTTPBadRequest() resp = request.get_response(wsgi_testapp) resp = set_cors_headers(request, resp) assert "Access-Control-Allow-Origin" not in resp.headers