def test_origin_policy_match():
policy = free.copy()
policy[
"pol_origin"] = "http://example.com example?.com https://*.example.com"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for origin, expected in [("localhost", None),
("http://example.com", "http://example.com"),
("example2.com", "example2.com"),
("https://www.example.com",
"https://www.example.com")]:
yield preflight_check_result, corsed, "Origin", origin, expected
### actual request
for origin, origin_expected, vary_expected in [
("localhost", None, None),
("http://example.com", "http://example.com", "Origin"),
("example2.com", "example2.com", "Origin"),
("https://www.example.com", "https://www.example.com", "Origin")
]:
yield request_check_result, corsed, "Origin", origin, origin_expected, (
"Vary", vary_expected)
def testwildcard():
corsed = mw(Response(), wildcard)
res = deniedpreflight.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == ""
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
assert res.headers.get("Access-Control-Allow-Methods", "") == "post"
assert res.headers.get("Access-Control-Allow-Headers", "") == "*"
assert res.headers.get("Access-Control-Max-Age", "0") == "100"
assert "Access-Control-Expose-Headers" not in res.headers
assert "Vary" not in res.headers
res = allowedpreflight.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "sub.example.com"
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
assert res.headers.get("Access-Control-Allow-Methods", "") == "post"
assert res.headers.get("Access-Control-Allow-Headers", "") == "*"
assert res.headers.get("Access-Control-Max-Age", "0") == "100"
assert "Access-Control-Expose-Headers" not in res.headers
assert "Vary" not in res.headers
res = post.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
assert "Access-Control-Expose-Headers" not in res.headers
assert res.headers.get("Vary", "") == "Origin"
res = post3.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "sub.example.com"
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
assert "Access-Control-Expose-Headers" not in res.headers
assert res.headers.get("Vary", "") == "Origin"
def test_non_preflight_are_not_answered():
"requests that don't match preflight criteria are ignored"
corsed = mw(Response("this is not a preflight response"), free)
for drop_header in preflight_headers.keys():
hdr=preflight_headers.copy()
del hdr[drop_header]
yield non_preflight_are_not_answered, corsed, hdr
def test_non_preflight_are_not_answered():
"requests that don't match preflight criteria are ignored"
corsed = mw(Response("this is not a preflight response"), free)
for drop_header in preflight_headers.keys():
hdr = preflight_headers.copy()
del hdr[drop_header]
yield non_preflight_are_not_answered, corsed, hdr
def test_selectPolicy_verbmatch():
"check whether correct policy is returned"
multi2 = verbmulti.copy()
multi2["policy"] = "pol2,pol1"
multi2["matchstrategy"] = "verbmatch"
corsed = mw(Response("this is not a preflight response"), multi2)
policyname, ret_origin = corsed.selectPolicy("ourdomain", "PUT")
assert policyname == "pol1", "'pol1' should have been returned since it matches both origin and verb first (but result was: '%s')" % policyname
multi2 = verbmulti.copy()
multi2["policy"] = "pol2,pol1"
multi2["matchstrategy"] = "verbmatch"
multi2["pol1_methods"] = "*"
corsed = mw(Response("this is not a preflight response"), multi2)
policyname, ret_origin = corsed.selectPolicy("ourdomain", "PUT")
assert policyname == "pol1", "'pol1' should have been returned since it matches both origin and verb first (but result was: '%s')" % policyname
def test_selectPolicy_verbmatch():
"check whether correct policy is returned"
multi2 = verbmulti.copy()
multi2["policy"] = "pol2,pol1"
multi2["matchstrategy"] = "verbmatch"
corsed = mw(Response("this is not a preflight response"), multi2)
policyname, ret_origin = corsed.selectPolicy("ourdomain", "PUT")
assert policyname == "pol1", "'pol1' should have been returned since it matches both origin and verb first (but result was: '%s')" % policyname
multi2 = verbmulti.copy()
multi2["policy"] = "pol2,pol1"
multi2["matchstrategy"] = "verbmatch"
multi2["pol1_methods"] = "*"
corsed = mw(Response("this is not a preflight response"), multi2)
policyname, ret_origin = corsed.selectPolicy("ourdomain", "PUT")
assert policyname == "pol1", "'pol1' should have been returned since it matches both origin and verb first (but result was: '%s')" % policyname
def test_selectPolicy():
"check whether correct policy is returned"
multi2 = multi.copy()
multi2["policy"] = "pol2,pol1"
corsed = mw(Response("this is not a preflight response"), multi2)
policyname, ret_origin = corsed.selectPolicy("palim.woopy.com")
assert policyname == "pol2", "'pol2' should have been returned since it matches first (but result was: '%s')" % policyname
assert ret_origin == "palim.woopy.com", "'palim.woopy.com' expected since its matched by pol2 (but result was: '%s')" % ret_origin
policyname, ret_origin = corsed.selectPolicy("palim.com")
assert policyname == "pol1", "'pol1' should have been returned since it matches first (but result was: '%s')" % policyname
assert ret_origin == "*", "'*' expected since its matched by pol1 (but result was: '%s')" % ret_origin
multi2 = multi.copy()
multi2["policy"] = "pol1,pol2"
corsed = mw(Response("this is not a preflight response"), multi2)
policyname, ret_origin = corsed.selectPolicy("palim.woopy.com")
assert policyname == "pol1", "'pol1' should have been returned since it matches first (but result was: '%s')" % policyname
assert ret_origin == "*", "'*' expectedsince its matched by pol1 (but result was: '%s')" % ret_origin
def testdeny():
corsed = mw(Response(), deny)
res = preflight.get_response(corsed)
assert "Access-Control-Allow-Origin" not in res.headers
assert "Access-Control-Allow-Credentials" not in res.headers
assert "Access-Control-Allow-Methods" not in res.headers
assert "Access-Control-Allow-Headers" not in res.headers
assert "Access-Control-Max-Age" not in res.headers
res = post.get_response(corsed)
assert "Access-Control-Allow-Origin" not in res.headers
assert "Access-Control-Allow-Credentials" not in res.headers
def testfree():
corsed = mw(Response(), free)
res = preflight.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "*"
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
assert res.headers.get("Access-Control-Allow-Methods", "") == "post"
assert res.headers.get("Access-Control-Allow-Headers", "") == "*"
assert res.headers.get("Access-Control-Max-Age", "0") == "100"
res = post.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
def test_selectPolicy_firstmatch():
"check whether correct policy is returned"
multi2 = multi.copy()
multi2["policy"] = "pol2,pol1"
multi2["matchstrategy"] = "firstmatch"
corsed = mw(Response("this is not a preflight response"), multi2)
policyname, ret_origin = corsed.selectPolicy("palim.woopy.com")
assert policyname == "pol2", "'pol2' should have been returned since it matches first (but result was: '%s')" % policyname
assert ret_origin == "palim.woopy.com", "'palim.woopy.com' expected since its matched by pol2 (but result was: '%s')" % ret_origin
policyname, ret_origin = corsed.selectPolicy("palim.com")
assert policyname == "pol1", "'pol1' should have been returned since it matches first (but result was: '%s')" % policyname
assert ret_origin == "*", "'*' expected since its matched by pol1 (but result was: '%s')" % ret_origin
multi2 = multi.copy()
multi2["policy"] = "pol1,pol2"
corsed = mw(Response("this is not a preflight response"), multi2)
policyname, ret_origin = corsed.selectPolicy("palim.woopy.com")
assert policyname == "pol1", "'pol1' should have been returned since it matches first (but result was: '%s')" % policyname
assert ret_origin == "*", "'*' expectedsince its matched by pol1 (but result was: '%s')" % ret_origin
def testdeny():
"Denied policy"
corsed = mw(Response("non preflight"), deny)
preflight = prepRequest(preflight_headers)
res = preflight.get_response(corsed)
assert res.body.decode("utf-8") == "", "Body must be empty but was:%s" % res.body
assert "Access-Control-Allow-Origin" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Allow-Credentials" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Allow-Methods" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Allow-Headers" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Max-Age" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Expose-Headers" not in res.headers, "Header should not be in repsonse"
assert "Vary" not in res.headers, "Header should not be in repsonse"
def testverbatim():
corsed = mw(Response(), verbatim)
res = preflight.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
assert res.headers.get("Access-Control-Allow-Methods", "") == "put,delete"
assert res.headers.get("Access-Control-Allow-Headers", "") == "header1,header2"
assert res.headers.get("Access-Control-Max-Age", "0") == "100"
res = post.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
def testdeny():
"Denied policy"
corsed = mw(Response("non preflight"), deny)
preflight = prepRequest(preflight_headers)
res = preflight.get_response(corsed)
assert res.body.decode(
"utf-8") == "", "Body must be empty but was:%s" % res.body
assert "Access-Control-Allow-Origin" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Allow-Credentials" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Allow-Methods" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Allow-Headers" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Max-Age" not in res.headers, "Header should not be in repsonse"
assert "Access-Control-Expose-Headers" not in res.headers, "Header should not be in repsonse"
assert "Vary" not in res.headers, "Header should not be in repsonse"
def test_req_origin_no_match():
"sending a post from a disallowed host => no allow headers will be returned"
corsed = mw(Response(), verbatim)
res = preflight.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
assert res.headers.get("Access-Control-Allow-Methods", "") == "put,delete"
assert res.headers.get("Access-Control-Allow-Headers", "") == "header1,header2"
assert res.headers.get("Access-Control-Max-Age", "0") == "100"
res = post2.get_response(corsed)
assert "Access-Control-Allow-Origin" not in res.headers
assert "Access-Control-Allow-Credentials" not in res.headers
def test_method_policy_fixed():
policy = free.copy()
policy["pol_methods"] = "PUT, GET"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "PUT, GET")]:
yield preflight_check_result, corsed, "Method", requested, expected
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Method", requested, expected
def test_headers_policy_fixed():
policy = free.copy()
policy["pol_headers"] = "Wooble"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "Wooble")]:
yield preflight_check_result, corsed, "Headers", requested, expected
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected
def test_method_policy_fixed():
policy = free.copy()
policy["pol_methods"] = "PUT, GET"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "PUT, GET")]:
yield preflight_check_result, corsed, "Method", requested, expected
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Method", requested, expected
def test_headers_policy_fixed():
policy = free.copy()
policy["pol_headers"] = "Wooble"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "Wooble")]:
yield preflight_check_result, corsed, "Headers", requested, expected
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected
def test_origin_policy_all():
policy = free.copy()
policy["pol_origin"] = "*"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for origin, expected in [("localhost", "*")]:
yield preflight_check_result, corsed, "Origin", origin, expected
### actual request
for origin, origin_expected, vary_expected in [("localhost", "localhost", None)]:
yield request_check_result, corsed, "Origin", origin, origin_expected, ("Vary", vary_expected)
def testfree_nocred():
"""
similar to free, but the actual request will be answered
with a '*' for allowed origin
"""
corsed = mw(Response(), free_nocred)
res = preflight.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "*"
assert res.headers.get("Access-Control-Allow-Credentials", None) == None
assert res.headers.get("Access-Control-Allow-Methods", "") == "post"
assert res.headers.get("Access-Control-Allow-Headers", "") == "*"
assert res.headers.get("Access-Control-Max-Age", "0") == "100"
res = post.get_response(corsed)
assert res.headers.get("Access-Control-Allow-Origin", "") == "*"
assert res.headers.get("Access-Control-Allow-Credentials", None) == None
def test_expose_header_policy_unset():
"No Expose-Headers in actual request if not given"
policy = free.copy()
del policy["pol_expose_headers"]
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Expose-Headers", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Expose-Headers", None)
def test_expose_header_policy_set():
"Add Expose-Headers in actual request if policy says so"
policy = free.copy()
policy["pol_expose_headers"] = "exposed"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Expose-Headers", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Expose-Headers", "exposed")
def test_age_policy_unset():
"Add Max-Age not in preflight response"
policy = free.copy()
del policy["pol_maxage"]
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Max-Age", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Max-Age", None)
def test_credentials_policy_none():
"Allow-Credentials should not be present"
policy = free.copy()
del policy["pol_credentials"]
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Allow-Credentials", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Allow-Credentials", None)
def test_credentials_policy_no():
"Allow-Credentials should not be present, if policy is different from 'yes'"
policy = free.copy()
policy["pol_credentials"] = "no" # something different from "yes"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Allow-Credentials", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Allow-Credentials", None)
def test_origin_policy_all():
policy = free.copy()
policy["pol_origin"] = "*"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for origin, expected in [("localhost", "*")]:
yield preflight_check_result, corsed, "Origin", origin, expected
### actual request
for origin, origin_expected, vary_expected in [("localhost", "localhost",
None)]:
yield request_check_result, corsed, "Origin", origin, origin_expected, (
"Vary", vary_expected)
def test_credentials_policy_none():
"Allow-Credentials should not be present"
policy = free.copy()
del policy["pol_credentials"]
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Allow-Credentials", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Allow-Credentials", None)
def test_age_policy_unset():
"Add Max-Age not in preflight response"
policy = free.copy()
del policy["pol_maxage"]
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Max-Age", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Max-Age", None)
def test_credentials_policy_no():
"Allow-Credentials should not be present, if policy is different from 'yes'"
policy = free.copy()
policy["pol_credentials"] = "no" # something different from "yes"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Allow-Credentials", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Allow-Credentials", None)
def test_expose_header_policy_set():
"Add Expose-Headers in actual request if policy says so"
policy = free.copy()
policy["pol_expose_headers"] = "exposed"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Expose-Headers", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Expose-Headers", "exposed")
def test_expose_header_policy_unset():
"No Expose-Headers in actual request if not given"
policy = free.copy()
del policy["pol_expose_headers"]
corsed = mw(Response("non preflight response"), policy)
### preflight request
for requested, expected in [("woopy", "woopy")]:
yield preflight_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Expose-Headers", None)
### actual request
for requested, expected in [("woopy", None)]:
yield request_check_result, corsed, "Headers", requested, expected, (
"Access-Control-Expose-Headers", None)
def test_origin_policy_match():
policy = free.copy()
policy["pol_origin"] = "http://example.com example?.com https://*.example.com"
corsed = mw(Response("non preflight response"), policy)
### preflight request
for origin, expected in [("localhost", None),
("http://example.com", "http://example.com"),
("example2.com", "example2.com"),
("https://www.example.com", "https://www.example.com")]:
yield preflight_check_result, corsed, "Origin", origin, expected
### actual request
for origin, origin_expected, vary_expected in [("localhost", None, None),
("http://example.com", "http://example.com", "Origin"),
("example2.com", "example2.com", "Origin"),
("https://www.example.com", "https://www.example.com", "Origin")]:
yield request_check_result, corsed, "Origin", origin, origin_expected, ("Vary", vary_expected)
