class TestCorsMiddlewareProcessRequest(TestCase): def setUp(self): self.middleware = CorsMiddleware() def test_process_request(self): request = Mock(path="/") request.method = "OPTIONS" request.META = {"HTTP_ACCESS_CONTROL_REQUEST_METHOD": "value"} with settings_override(CORS_URLS_REGEX="^.*$"): response = self.middleware.process_request(request) self.assertIsInstance(response, HttpResponse) def test_process_request_empty_header(self): request = Mock(path="/") request.method = "OPTIONS" request.META = {"HTTP_ACCESS_CONTROL_REQUEST_METHOD": ""} with settings_override(CORS_URLS_REGEX="^.*$"): response = self.middleware.process_request(request) self.assertIsInstance(response, HttpResponse) def test_process_request_no_header(self): request = Mock(path="/") request.method = "OPTIONS" request.META = {} response = self.middleware.process_request(request) self.assertIsNone(response) def test_process_request_not_options(self): request = Mock(path="/") request.method = "GET" request.META = {"HTTP_ACCESS_CONTROL_REQUEST_METHOD": "value"} response = self.middleware.process_request(request) self.assertIsNone(response)
class TestCorsMiddlewareProcessRequest(TestCase): def setUp(self): self.middleware = CorsMiddleware() def test_process_request(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'} with settings_override(CORS_URLS_REGEX='^.*$'): response = self.middleware.process_request(request) self.assertIsInstance(response, HttpResponse) def test_process_request_empty_header(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''} with settings_override(CORS_URLS_REGEX='^.*$'): response = self.middleware.process_request(request) self.assertIsInstance(response, HttpResponse) def test_process_request_no_header(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {} response = self.middleware.process_request(request) self.assertIsNone(response) def test_process_request_not_options(self): request = Mock(path='/') request.method = 'GET' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'} response = self.middleware.process_request(request) self.assertIsNone(response)
def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.project = get( Project, slug='pip', users=[self.owner], privacy_level='public', mail_language_project=None, ) self.subproject = get( Project, users=[self.owner], privacy_level='public', mail_language_project=None, ) self.relationship = get( ProjectRelationship, parent=self.project, child=self.subproject, ) self.domain = get(Domain, domain='my.valid.domain', project=self.project)
def check_host(host: str) -> bool: """ Check if the host is allowed """ middleware = CorsMiddleware() if middleware.regex_domain_match(host): return True return ClientWebsite.objects.check_by_own_domain(host)
def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.pip = get( Project, slug='pip', users=[self.owner], privacy_level='public', ) self.domain = get(Domain, domain='my.valid.domain', project=self.pip)
def http_handler(self, message, **kwargs): """ Called on HTTP request :param message: message received :return: """ # Get Django HttpRequest object from ASGI Message request = AsgiRequest(message) # CORS response = CorsMiddleware().process_request(request) if not isinstance(response, HttpResponse): # Try to process content try: if request.method != 'POST': raise MethodNotSupported('Only POST method is supported') content = request.body.decode('utf-8') except (UnicodeDecodeError, MethodNotSupported): content = '' result, is_notification = self.__handle(content, message, kwargs) # Set response status code # http://www.jsonrpc.org/historical/json-rpc-over-http.html#response-codes if not is_notification: # call response status_code = 200 if 'error' in result: code = result['error']['code'] status_code = self._http_codes[ code] if code in self._http_codes else 500 else: # notification response status_code = 204 if result and 'error' in result: code = result['error']['code'] status_code = self._http_codes[ code] if code in self._http_codes else 500 result = '' response = HttpResponse(self.__class__._encode(result), content_type='application/json-rpc', status=status_code) # CORS response = CorsMiddleware().process_response(request, response) # Encode that response into message format (ASGI) for chunk in AsgiHandler.encode_response(response): message.reply_channel.send(chunk)
def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.project = get( Project, slug='pip', users=[self.owner], privacy_level=PUBLIC, main_language_project=None, ) self.project.versions.update(privacy_level=PUBLIC) self.version = self.project.versions.get(slug=LATEST) self.subproject = get( Project, users=[self.owner], privacy_level=PUBLIC, main_language_project=None, ) self.subproject.versions.update(privacy_level=PUBLIC) self.version_subproject = self.subproject.versions.get(slug=LATEST) self.relationship = get( ProjectRelationship, parent=self.project, child=self.subproject, ) self.domain = get( Domain, domain='my.valid.domain', project=self.project, ) self.another_project = get( Project, privacy_level=PUBLIC, slug='another', ) self.another_project.versions.update(privacy_level=PUBLIC) self.another_version = self.another_project.versions.get(slug=LATEST) self.another_domain = get( Domain, domain='another.valid.domain', project=self.another_project, )
class TestCORSMiddleware(TestCase): def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.pip = get( Project, slug='pip', users=[self.owner], privacy_level='public', ) self.domain = get(Domain, domain='my.valid.domain', project=self.pip) def test_proper_domain(self): request = self.factory.get( self.url, {'project': self.pip.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_invalid_domain(self): request = self.factory.get( self.url, {'project': self.pip.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_invalid_project(self): request = self.factory.get( self.url, {'project': 'foo'}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp)
def test_cors(self): """ Cross Origin Requests should be allowed. """ request = Mock(path='https://api.data.amsterdam.nl/panorama/panoramas/?lat=52.3779561&lon=4.8970701') request.method = 'GET' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com', 'HTTP_HOST': 'api.data.amsterdam.nl', 'HTTP_ORIGIN': 'https://foo.google.com', } response = CorsMiddleware().process_response(request, HttpResponse()) self.assertTrue('access-control-allow-origin' in response._headers) self.assertEquals( '*', response._headers['access-control-allow-origin'][1])
def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.project = get( Project, slug='pip', users=[self.owner], privacy_level='public', mail_language_project=None ) self.subproject = get( Project, users=[self.owner], privacy_level='public', mail_language_project=None, ) self.relationship = get( ProjectRelationship, parent=self.project, child=self.subproject ) self.domain = get(Domain, domain='my.valid.domain', project=self.project)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn( ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN), ) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ["example.com"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://foobar.it"}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ["example.com", "foobar.it"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://foobar.it"}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, "http://foobar.it") def test_process_response_expose_headers(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ["accept", "origin", "content-type"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://example.com"}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], "accept, origin, content-type") def test_process_response_dont_expose_headers(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://example.com"}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://example.com"}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], "true") def test_process_response_dont_allow_credentials(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request = Mock(path="/", META={"HTTP_ORIGIN": "http://example.com"}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ["content-type", "origin"] settings.CORS_ALLOW_METHODS = ["GET", "OPTIONS"] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://example.com"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], "content-type, origin") self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], "GET, OPTIONS") self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], "1002") def test_process_response_options_method_no_max_age(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ["content-type", "origin"] settings.CORS_ALLOW_METHODS = ["GET", "OPTIONS"] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://example.com"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], "content-type, origin") self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], "GET, OPTIONS") self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ["OPTIONS"] settings.CORS_ORIGIN_WHITELIST = ("localhost:9000",) settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://localhost:9000"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS), "true") def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings): settings.CORS_ORIGIN_REGEX_WHITELIST = ("^http?://(\w+\.)?google\.com$",) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ["OPTIONS"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://foo.google.com"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN), "http://foo.google.com") def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings): settings.CORS_ORIGIN_REGEX_WHITELIST = ("^http?://(\w+\.)?yahoo\.com$",) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ["OPTIONS"] settings.CORS_URLS_REGEX = "^.*$" response = HttpResponse() request_headers = {"HTTP_ORIGIN": "http://foo.google.com"} request = Mock(path="/", META=request_headers, method="OPTIONS") processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN), None)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def test_process_response_no_origin(self): response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) assert ACCESS_CONTROL_ALLOW_ORIGIN not in processed @override_settings(CORS_ORIGIN_WHITELIST=['example.com']) def test_process_response_not_in_whitelist(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) assert ACCESS_CONTROL_ALLOW_ORIGIN not in processed @override_settings(CORS_ORIGIN_WHITELIST=['example.com', 'foobar.it']) def test_process_response_in_whitelist(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) assert processed[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' @override_settings( CORS_ORIGIN_ALLOW_ALL=True, CORS_EXPOSE_HEADERS=['accept', 'origin', 'content-type'], ) def test_process_response_expose_headers(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) assert processed[ACCESS_CONTROL_EXPOSE_HEADERS] == \ 'accept, origin, content-type' @override_settings(CORS_ORIGIN_ALLOW_ALL=True) def test_process_response_dont_expose_headers(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) assert ACCESS_CONTROL_EXPOSE_HEADERS not in processed @override_settings( CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=True, ) def test_process_response_allow_credentials(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) assert processed[ACCESS_CONTROL_ALLOW_CREDENTIALS] == 'true' @override_settings(CORS_ORIGIN_ALLOW_ALL=True) def test_process_response_dont_allow_credentials(self): response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) assert ACCESS_CONTROL_ALLOW_CREDENTIALS not in processed @override_settings( CORS_ALLOW_HEADERS=['content-type', 'origin'], CORS_ALLOW_METHODS=['GET', 'OPTIONS'], CORS_PREFLIGHT_MAX_AGE=1002, CORS_ORIGIN_ALLOW_ALL=True, ) def test_process_response_options_method(self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed[ ACCESS_CONTROL_ALLOW_HEADERS] == 'content-type, origin' assert processed[ACCESS_CONTROL_ALLOW_METHODS] == 'GET, OPTIONS' assert processed[ACCESS_CONTROL_MAX_AGE] == '1002' @override_settings( CORS_ALLOW_HEADERS=['content-type', 'origin'], CORS_ALLOW_METHODS=['GET', 'OPTIONS'], CORS_PREFLIGHT_MAX_AGE=0, CORS_ORIGIN_ALLOW_ALL=True, ) def test_process_response_options_method_no_max_age(self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed[ACCESS_CONTROL_ALLOW_HEADERS] == \ 'content-type, origin' assert processed[ACCESS_CONTROL_ALLOW_METHODS] == 'GET, OPTIONS' assert ACCESS_CONTROL_MAX_AGE not in processed @override_settings( CORS_ALLOW_METHODS=['OPTIONS'], CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_WHITELIST=('localhost:9000', ), ) def test_process_response_whitelist_with_port(self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None) == 'true' @override_settings( CORS_ALLOW_METHODS=['OPTIONS'], CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_REGEX_WHITELIST=('^http?://(\w+\.)?google\.com$', ), ) def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist( self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None) == 'http://foo.google.com' @override_settings( CORS_ALLOW_METHODS=['OPTIONS'], CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_REGEX_WHITELIST=('^http?://(\w+\.)?yahoo\.com$', ), ) def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist( self): response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) assert processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None) is None @override_settings(CORS_MODEL='corsheaders.CorsModel') def test_process_response_when_custom_model_enabled(self): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) assert processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None) == 'http://foo.google.com' @override_settings( CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=True, ) def test_middleware_integration_get(self): response = self.client.get('/test-view/', HTTP_ORIGIN='http://foobar.it') assert response.status_code == 200 assert response[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' @override_settings( CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=True, ) def test_middleware_integration_get_auth_view(self): """ It's not clear whether the header should still be set for non-HTTP200 when not a preflight request. However this is the existing behaviour for django-cors-middleware, so at least this test makes that explicit, especially since for the switch to Django 1.10, special-handling will need to be put in place to preserve this behaviour. See `ExceptionMiddleware` mention here: https://docs.djangoproject.com/en/1.10/topics/http/middleware/#upgrading-pre-django-1-10-style-middleware """ response = self.client.get('/test-view-http401/', HTTP_ORIGIN='http://foobar.it') assert response.status_code == 401 assert response[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' @override_settings( CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=True, ) def test_middleware_integration_preflight_auth_view(self): """ Ensure HTTP200 and header still set, for preflight requests to views requiring authentication. See: https://github.com/ottoyiu/django-cors-headers/issues/3 """ response = self.client.options( '/test-view-http401/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value') assert response.status_code == 200 assert response[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' def test_signal_that_returns_false(self): def handler(*args, **kwargs): return False check_request_enabled.connect(handler) resp = self.client.options( '/test-view/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) assert resp.status_code == 200 assert ACCESS_CONTROL_ALLOW_ORIGIN not in resp def test_signal_that_returns_true(self): def handler(*args, **kwargs): return True check_request_enabled.connect(handler) resp = self.client.options( '/test-view/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) assert resp.status_code == 200 assert resp[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://foobar.it' @override_settings(CORS_ORIGIN_WHITELIST=['example.com']) def test_signal_allow_some_urls_to_everyone(self): def allow_api_to_all(sender, request, **kwargs): return request.path.startswith('/api/') check_request_enabled.connect(allow_api_to_all) resp = self.client.options( '/test-view/', HTTP_ORIGIN='http://example.org', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) assert resp.status_code == 200 assert ACCESS_CONTROL_ALLOW_ORIGIN not in resp resp = self.client.options( '/api/something/', HTTP_ORIGIN='http://example.org', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) assert resp.status_code == 200 assert resp[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://example.org'
class TestCORSMiddleware(TestCase): def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.project = get( Project, slug='pip', users=[self.owner], privacy_level='public', mail_language_project=None ) self.subproject = get( Project, users=[self.owner], privacy_level='public', mail_language_project=None, ) self.relationship = get( ProjectRelationship, parent=self.project, child=self.subproject ) self.domain = get(Domain, domain='my.valid.domain', project=self.project) def test_proper_domain(self): request = self.factory.get( self.url, {'project': self.project.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_invalid_domain(self): request = self.factory.get( self.url, {'project': self.project.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_invalid_project(self): request = self.factory.get( self.url, {'project': 'foo'}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_valid_subproject(self): self.assertTrue( Project.objects.filter( pk=self.project.pk, subprojects__child=self.subproject ).exists() ) request = self.factory.get( self.url, {'project': self.subproject.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp)
def setUp(self): self.middleware = CorsMiddleware()
class TestCorsMiddlewareProcessRequest(TestCase): def setUp(self): self.middleware = CorsMiddleware() def test_process_request(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'} response = self.middleware.process_request(request) assert isinstance(response, HttpResponse) def test_process_request_empty_header(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''} response = self.middleware.process_request(request) assert isinstance(response, HttpResponse) def test_process_request_no_header(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {} response = self.middleware.process_request(request) assert response is None def test_process_request_not_options(self): request = Mock(path='/') request.method = 'GET' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'} response = self.middleware.process_request(request) assert response is None @override_settings( CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True, ) def test_process_request_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True # make sure it doesnt blow up when HTTP_REFERER is not present request.META = { 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } response = self.middleware.process_request(request) assert response is None # make sure it doesnt blow up when HTTP_HOST is not present request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_ORIGIN': 'https://foo.google.com', } response = self.middleware.process_request(request) assert response is None request.is_secure = lambda: False request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'http://foo.google.com', } # test that we won't replace if the request is not secure response = self.middleware.process_request(request) assert response is None assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'http://foo.google.com/' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } # test that we won't replace with the setting off with override_settings(CORS_REPLACE_HTTPS_REFERER=False): response = self.middleware.process_request(request) assert response is None assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = self.middleware.process_request(request) assert response is None assert request.META[ 'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' # make sure the replace code is idempotent response = self.middleware.process_view(request, None, None, None) assert response is None assert request.META[ 'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' post_middleware.process_request(request) assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = post_middleware.process_request(request) assert response is None @override_settings( CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True, ) def test_process_view_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } response = self.middleware.process_view(request, None, None, None) assert response is None assert request.META[ 'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' post_middleware.process_view(request, None, None, None) assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = post_middleware.process_view(request, None, None, None) assert response is None
def process_request(self, request): pretty = True if 'HTTP_X_CSAPI_PRETTY' in request.META and request.META['HTTP_X_CSAPI_PRETTY'].lower() in ['true', 'on', '1' ] else False request.META = request.META.copy() request.META['HTTP_X_CSAPI_PRETTY'] = pretty try: view_func = resolve(request.META['PATH_INFO'])[0] app_label = view_func.__module__.rsplit('.', 1)[1] view_name = view_func.__name__ methods = settings.ALLOW_EXPOSE_CORS_DATA[app_label][view_name]['METHODS'] if methods: if getattr(request, "_CorsMiddleware", False) is False: self._CorsMiddleware = CorsMiddleware() response = self._CorsMiddleware.process_request(request) if response and request.method == "OPTIONS": response = self._CorsMiddleware.process_response(request, response) response[ACCESS_CONTROL_ALLOW_METHODS] = ", ".join(methods) try: headers = settings.ALLOW_EXPOSE_CORS_DATA[app_label][view_name]['EXPOSE_HEADERS'] if headers: response[ACCESS_CONTROL_EXPOSE_HEADERS] = ", ".join(headers) except Exception as e: raise e try: headers = settings.ALLOW_EXPOSE_CORS_DATA[app_label][view_name]['ALLOW_HEADERS'] if headers: response[ACCESS_CONTROL_ALLOW_HEADERS] = ", ".join(headers) except Exception as e: raise e response[ACCESS_CONTROL_ALLOW_HEADERS] = '*' response[ACCESS_CONTROL_EXPOSE_HEADERS] = [] setattr(request, "_cors_enabled", False) return response except Exception as e: raise e request.META['_time'] = time.time() """ """ req_key = 'HTTP_X_CSAPI_REQUEST_URL' req_val = None url = request.META[req_key] if req_key in request.META else None req_val = ConsoleAPI.Filter_Request_Url(url) request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_AUTHORIZATION' req_val = request.META[req_key] if req_key in request.META else None if req_val: req_val = str(req_val) request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_COOKIE' req_val = request.META[req_key] if req_key in request.META else None if req_val: req_val = str(req_val) request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_DEBUG' req_val = request.META[req_key] if req_key in request.META else None req_val = True if req_val in ['true', 'on', '1', 'yes' ] else False request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_FOLLOW_REDIRECTION' req_val = request.META[req_key] if req_key in request.META else None req_val = True if req_val in ['true', 'on', '1', 'yes' ] else False request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_HTTP_VERSION' req_val = request.META[req_key] if req_key in request.META else None req_val = 1.0 if req_val in ['1', '1.0'] else ( 1.1 if req_val in ['1.1'] else 2.0 if req_val in ['2', '2.0'] else "2P" if req_val in ['2p', '2P'] else 1.1) request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_IPV6' req_val = request.META[req_key] if req_key in request.META else None req_val = 6 if req_val in ['6'] else 4 request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_PRETTY' req_val = request.META[req_key] if req_key in request.META else None req_val = True if req_val in ['true', 'on', '1', 'yes' ] else False request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_REFERER' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_PROXY' req_val = request.META[req_key] if req_key in request.META else None if req_val: pu = urlparse(req_val) scheme = pu.scheme netloc = pu.netloc if not netloc: req_val = None else: scheme = 'https' if 'https' in scheme else ('http1.0' if 'http1.0' in scheme else ('http' if 'http' in scheme else ('socks4a' if 'socks4a' in scheme else ('socks4' if 'socks4' in scheme else ('socks5' if 'socks5' in scheme else 'socks5_hostname' if 'socks5_hostname' in scheme else 'http'))))) netlocs = netloc.rsplit("@") userpass = netlocs[0] if len(netlocs)>1 else None netloc = netlocs[1] if len(netlocs)>1 else netlocs[0] netlocs = netloc.rsplit(":") netloc = netlocs[0] port = netlocs[1] if len(netlocs)>1 else None username = None password = None if userpass: userpasss = userpass.split(":") username = userpasss[0] password = userpasss[1] if len(userpasss[0])>1 else None req_val = {'ip':netloc, 'port':port, 'scheme':scheme, 'username':username, 'password':password} request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_SSL_VERIFIER' req_val = request.META[req_key] if req_key in request.META else None req_val = True if req_val in ['true', 'on', '1', 'yes' ] else False request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_USER_AGENT' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_ACCEPT_LANGUAGE' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_ACCEPT_ENCODING' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_ACCEPT' req_val = request.META[req_key] if req_key in request.META else None request.META[req_key] = req_val # req_key = 'HTTP_X_CSAPI_TIMEOUT' req_val = request.META[req_key] if req_key in request.META else None if req_val: try: req_val = int(req_val) req_val = 60 if req_val >60 else req_val except Exception as e: req_val = 60 request.META[req_key] = req_val """ Extra Headers """ req_key = 'HTTP_X_CSAPI_XHEADERS' req_val = [] for meta in request.META: xmatch = re.match(r'^(HTTP_X_CSAPI_(.*))', meta) if xmatch: xmkey = xmatch.group(2) if xmkey not in ['XHEADERS', 'TIMEOUT', 'SSL_VERIFIER', 'USER_AGENT', 'REQUEST_URL', 'PROXY', 'REFERER', 'PRETTY', 'IPV6', 'HTTP_VERSION', 'FOLLOW_REDIRECTION', 'DEBUG', 'ACCEPT', 'ACCEPT_ENCODING', 'ACCEPT_LANGUAGE']: req_val.append({ xmkey.lower().replace('_', '-').title() :request.META[ xmatch.group(0)]}) request.META[req_key] = req_val print(request.META['HTTP_X_CSAPI_XHEADERS']) print(request.META['HTTP_X_CSAPI_TIMEOUT']) print(request.META['HTTP_X_CSAPI_SSL_VERIFIER']) print(request.META['HTTP_X_CSAPI_PROXY']) print(request.META['HTTP_X_CSAPI_PRETTY']) print(request.META['HTTP_X_CSAPI_IPV6']) print(request.META['HTTP_X_CSAPI_HTTP_VERSION']) print(request.META['HTTP_X_CSAPI_DEBUG']) print(request.META['HTTP_X_CSAPI_FOLLOW_REDIRECTION']) print(request.META['HTTP_X_CSAPI_COOKIE']) print(request.META['HTTP_X_CSAPI_AUTHORIZATION']) print(request.META['HTTP_X_CSAPI_COOKIE']) print(request.META['HTTP_X_CSAPI_REQUEST_URL']) print(request.META['HTTP_X_CSAPI_USER_AGENT']) print(request.META['HTTP_X_CSAPI_ACCEPT_LANGUAGE']) print(request.META['HTTP_X_CSAPI_ACCEPT_ENCODING']) print(request.META['HTTP_X_CSAPI_ACCEPT']) return None
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN)) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_expose_headers(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type') def test_process_response_dont_expose_headers(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true') def test_process_response_dont_allow_credentials(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002') def test_process_response_options_method_no_max_age(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_ORIGIN_WHITELIST = ('localhost:9000',) settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS), 'true') def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings): settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?google\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN), 'http://foo.google.com') def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings): settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?yahoo\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN), None)
class TestCorsMiddlewareProcessRequest(TestCase): req_factory = RequestFactory() def setUp(self): self.middleware = CorsMiddleware() def test_process_request(self): request = self.req_factory.options( '/', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) response = self.middleware.process_request(request) assert isinstance(response, HttpResponse) def test_process_request_empty_header(self): request = self.req_factory.options( '/', HTTP_ACCESS_CONTROL_REQUEST_METHOD='', ) response = self.middleware.process_request(request) assert isinstance(response, HttpResponse) def test_process_request_no_header(self): request = self.req_factory.options('/') response = self.middleware.process_request(request) assert response is None def test_process_request_not_options(self): request = self.req_factory.get( '/', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) response = self.middleware.process_request(request) assert response is None @override_settings( CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True, SECURE_PROXY_SSL_HEADER=('HTTP_FAKE_SECURE', 'true'), ) def test_process_request_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() # make sure it doesnt blow up when HTTP_REFERER is not present request = self.req_factory.get( '/', HTTP_FAKE_SECURE='true', HTTP_HOST='foobar.com', HTTP_ORIGIN='https://foo.google.com', ) response = self.middleware.process_request(request) assert response is None # make sure it doesnt blow up when HTTP_HOST is not present request = self.req_factory.get( '/', HTTP_FAKE_SECURE='true', HTTP_ORIGIN='https://foo.google.com', HTTP_REFERER='http://foo.google.com/', ) response = self.middleware.process_request(request) assert response is None # test that we won't replace if the request is not secure request = self.req_factory.get( '/', HTTP_HOST='foobar.com', HTTP_ORIGIN='http://foo.google.com', HTTP_REFERER='http://foo.google.com/', ) response = self.middleware.process_request(request) assert response is None assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'http://foo.google.com/' # test that we won't replace with the setting off request = self.req_factory.get( '/', HTTP_FAKE_SECURE='true', HTTP_HOST='foobar.com', HTTP_ORIGIN='https://foo.google.com', HTTP_REFERER='https://foo.google.com/', ) with override_settings(CORS_REPLACE_HTTPS_REFERER=False): response = self.middleware.process_request(request) assert response is None assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = self.middleware.process_request(request) assert response is None assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' # make sure the replace code is idempotent response = self.middleware.process_view(request, None, None, None) assert response is None assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' post_middleware.process_request(request) assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = post_middleware.process_request(request) assert response is None @override_settings( CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True, SECURE_PROXY_SSL_HEADER=('HTTP_FAKE_SECURE', 'true'), ) def test_process_view_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = self.req_factory.get( '/', HTTP_FAKE_SECURE='true', HTTP_HOST='foobar.com', HTTP_ORIGIN='https://foo.google.com', HTTP_REFERER='https://foo.google.com/', ) response = self.middleware.process_view(request, None, None, None) assert response is None assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' post_middleware.process_view(request, None, None, None) assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = post_middleware.process_view(request, None, None, None) assert response is None
from django.core.urlresolvers import RegexURLResolver from django.views.decorators.csrf import csrf_exempt from functools import wraps from .utils import CaseInsensitiveDict logger = logging.getLogger(__name__) __all__ = ('SimpleHttpException', 'api_handler', 'api_export') __version__ = '1.4.0' cors_middleware = None if getattr(settings, 'SIMPLEAPI_ENABLE_CORS', False): cors_middleware = CorsMiddleware() def allow_cors(func): def func_wrapper(request, *args, **kwargs): resp = cors_middleware.process_request(request) if not resp: resp = func(request, *args, **kwargs) resp = cors_middleware.process_response(request, resp) return resp return func_wrapper
class TestCorsMiddlewareProcessRequest(TestCase): def setUp(self): self.middleware = CorsMiddleware() def test_process_request(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'} with settings_override(CORS_URLS_REGEX='^.*$'): response = self.middleware.process_request(request) self.assertIsInstance(response, HttpResponse) def test_process_request_empty_header(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''} with settings_override(CORS_URLS_REGEX='^.*$'): response = self.middleware.process_request(request) self.assertIsInstance(response, HttpResponse) def test_process_request_no_header(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {} response = self.middleware.process_request(request) self.assertIsNone(response) def test_process_request_not_options(self): request = Mock(path='/') request.method = 'GET' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'} response = self.middleware.process_request(request) self.assertIsNone(response) def test_process_request_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True # make sure it doesnt blow up when HTTP_REFERER is not present request.META = { 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) # make sure it doesnt blow up when HTTP_HOST is not present request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_ORIGIN': 'https://foo.google.com', } with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) request.is_secure = lambda: False request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'http://foo.google.com', } # test that we won't replace if the request is not secure with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/') request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } # test that we won't replace with the setting off with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*'): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') # make sure the replace code is idempotent with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_view(request, None, None, None) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): post_middleware.process_request(request) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): response = post_middleware.process_request(request) self.assertIsNone(response) def test_process_view_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_view(request, None, None, None) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): post_middleware.process_view(request, None, None, None) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): response = post_middleware.process_view(request, None, None, None) self.assertIsNone(response)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn( ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN)) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_MODEL = None settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_signal_works(self, settings): def handler(sender, request, **kwargs): return True settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' signals.check_request_enabled.connect(handler) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type') def test_process_response_dont_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true') def test_process_response_dont_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002') def test_process_response_options_method_no_max_age(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_ORIGIN_WHITELIST = ('localhost:9000', ) settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), 'true') def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist( self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ( '^http?://(\w+\.)?google\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist( self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ( '^http?://(\w+\.)?yahoo\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None) def test_process_response_when_custom_model_enabled(self, settings): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') settings.CORS_ORIGIN_REGEX_WHITELIST = () settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = settings.default_methods settings.CORS_URLS_REGEX = '^.*$' settings.CORS_MODEL = 'corsheaders.CorsModel' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_in_allow_all_path(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$', ) response = HttpResponse() request = Mock(path='/api/data', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_not_in_allow_all_path(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$', ) response = HttpResponse() request = Mock(path='/data', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_middleware_integration_get(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.get('/test-view/', HTTP_ORIGIN='http://foobar.it') self.assertEqual(response.status_code, 200) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it') def test_middleware_integration_options(self, settings): settings.CORS_MODEL = None settings.CORS_URLS_REGEX = '^.*$' settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = True response = self.client.options( '/test-view/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value', ) self.assertEqual(response.status_code, 200) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], 'http://foobar.it') self.assertEqual(response['Vary'], 'Origin') def test_middleware_integration_get_auth_view(self, settings): """ It's not clear whether the header should still be set for non-HTTP200 when not a preflight request. However this is the existing behaviour for django-cors-middleware, so at least this test makes that explicit, especially since for the switch to Django 1.10, special-handling will need to be put in place to preserve this behaviour. See `ExceptionMiddleware` mention here: https://docs.djangoproject.com/en/1.10/topics/http/middleware/#upgrading-pre-django-1-10-style-middleware """ settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.get('/test-view-http401/', HTTP_ORIGIN='http://foobar.it') self.assertEqual(response.status_code, 401) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it') def test_middleware_integration_preflight_auth_view(self, settings): """ Ensure HTTP200 and header still set, for preflight requests to views requiring authentication. See: https://github.com/ottoyiu/django-cors-headers/issues/3 """ settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.options( '/test-view-http401/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value') self.assertEqual(response.status_code, 200) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it')
class TestCorsMiddlewareProcessRequest(TestCase): def setUp(self): self.middleware = CorsMiddleware() def test_process_request(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'} with settings_override(CORS_URLS_REGEX='^.*$'): response = self.middleware.process_request(request) self.assertIsInstance(response, HttpResponse) def test_process_request_empty_header(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''} with settings_override(CORS_URLS_REGEX='^.*$'): response = self.middleware.process_request(request) self.assertIsInstance(response, HttpResponse) def test_process_request_no_header(self): request = Mock(path='/') request.method = 'OPTIONS' request.META = {} response = self.middleware.process_request(request) self.assertIsNone(response) def test_process_request_not_options(self): request = Mock(path='/') request.method = 'GET' request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'} response = self.middleware.process_request(request) self.assertIsNone(response) def test_process_request_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: False request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'http://foo.google.com', } # test that we won't replace if the request is not secure with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/') request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } # test that we won't replace with the setting off with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*'): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') # make sure the replace code is idempotent with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_view(request, None, None, None) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): post_middleware.process_request(request) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): response = post_middleware.process_request(request) self.assertIsNone(response) def test_process_view_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_view(request, None, None, None) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): post_middleware.process_view(request, None, None, None) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): response = post_middleware.process_view(request, None, None, None) self.assertIsNone(response)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN)) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_MODEL = None settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type') def test_process_response_dont_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true') def test_process_response_dont_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002') def test_process_response_options_method_no_max_age(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_ORIGIN_WHITELIST = ('localhost:9000',) settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), 'true') def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?google\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?yahoo\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None) def test_process_response_when_custom_model_enabled(self, settings): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') settings.CORS_ORIGIN_REGEX_WHITELIST = () settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = settings.default_methods settings.CORS_URLS_REGEX = '^.*$' settings.CORS_MODEL = 'corsheaders.CorsModel' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com')
class TestCORSMiddleware(TestCase): def setUp(self): self.factory = RequestFactory() self.middleware = CorsMiddleware() self.url = '/api/v2/search' self.owner = create_user(username='******', password='******') self.project = get( Project, slug='pip', users=[self.owner], privacy_level=PUBLIC, main_language_project=None, ) self.project.versions.update(privacy_level=PUBLIC) self.version = self.project.versions.get(slug=LATEST) self.subproject = get( Project, users=[self.owner], privacy_level=PUBLIC, main_language_project=None, ) self.subproject.versions.update(privacy_level=PUBLIC) self.version_subproject = self.subproject.versions.get(slug=LATEST) self.relationship = get( ProjectRelationship, parent=self.project, child=self.subproject, ) self.domain = get( Domain, domain='my.valid.domain', project=self.project, ) self.another_project = get( Project, privacy_level=PUBLIC, slug='another', ) self.another_project.versions.update(privacy_level=PUBLIC) self.another_version = self.another_project.versions.get(slug=LATEST) self.another_domain = get( Domain, domain='another.valid.domain', project=self.another_project, ) def test_allow_linked_domain_from_public_version(self): request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_dont_allow_linked_domain_from_private_version(self): self.version.privacy_level = PRIVATE self.version.save() request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_allowed_api_public_version_from_another_domain(self): request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://docs.another.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://another.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_not_allowed_api_private_version_from_another_domain(self): self.version.privacy_level = PRIVATE self.version.save() request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://docs.another.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://another.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_valid_subproject(self): self.assertTrue( Project.objects.filter( pk=self.project.pk, subprojects__child=self.subproject, ).exists(), ) request = self.factory.get( self.url, {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) def test_embed_api_private_version_linked_domain(self): self.version.privacy_level = PRIVATE self.version.save() request = self.factory.get( '/api/v2/embed/', {'project': self.project.slug, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) @mock.patch('readthedocs.core.signals._has_donate_app') def test_sustainability_endpoint_allways_allowed(self, has_donate_app): has_donate_app.return_value = True request = self.factory.get( '/api/v2/sustainability/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) request = self.factory.get( '/api/v2/sustainability/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertIn('Access-Control-Allow-Origin', resp) @mock.patch('readthedocs.core.signals._has_donate_app') def test_sustainability_endpoint_no_ext(self, has_donate_app): has_donate_app.return_value = False request = self.factory.get( '/api/v2/sustainability/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) request = self.factory.get( '/api/v2/sustainability/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) def test_apiv2_endpoint_not_allowed(self): request = self.factory.get( '/api/v2/version/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://invalid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) # This also doesn't work on registered domains. request = self.factory.get( '/api/v2/version/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) # Or from our public domain. request = self.factory.get( '/api/v2/version/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://docs.readthedocs.io/', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp) # POST is not allowed request = self.factory.post( '/api/v2/version/', {'project': self.project.slug, 'active': True, 'version': self.version.slug}, HTTP_ORIGIN='http://my.valid.domain', ) resp = self.middleware.process_response(request, {}) self.assertNotIn('Access-Control-Allow-Origin', resp)
class TestCorsMiddlewareProcessResponse(TestCase): def setUp(self): self.middleware = CorsMiddleware() def assertAccessControlAllowOriginEquals(self, response, header): self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, response, "Response %r does " "NOT have %r header" % (response, ACCESS_CONTROL_ALLOW_ORIGIN)) self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header) def test_process_response_no_origin(self, settings): settings.CORS_MODEL = None settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_not_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_signal_works(self, settings): def handler(sender, request, **kwargs): return True settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com'] settings.CORS_URLS_REGEX = '^.*$' signals.check_request_enabled.connect(handler) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_process_response_in_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type') def test_process_response_dont_expose_headers(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_EXPOSE_HEADERS = [] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed) def test_process_response_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true') def test_process_response_dont_allow_credentials(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed) def test_process_response_options_method(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 1002 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002') def test_process_response_options_method_no_max_age(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_ALLOW_HEADERS = ['content-type', 'origin'] settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS'] settings.CORS_PREFLIGHT_MAX_AGE = 0 settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed) def test_process_response_whitelist_with_port(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_ORIGIN_WHITELIST = ('localhost:9000',) settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), 'true') def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?google\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\w+\.)?yahoo\.com$', ) settings.CORS_ALLOW_CREDENTIALS = True settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = ['OPTIONS'] settings.CORS_URLS_REGEX = '^.*$' response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None) def test_process_response_when_custom_model_enabled(self, settings): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') settings.CORS_ORIGIN_REGEX_WHITELIST = () settings.CORS_ALLOW_CREDENTIALS = False settings.CORS_ORIGIN_ALLOW_ALL = False settings.CORS_ALLOW_METHODS = settings.default_methods settings.CORS_URLS_REGEX = '^.*$' settings.CORS_MODEL = 'corsheaders.CorsModel' response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com') def test_process_response_in_allow_all_path(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$',) response = HttpResponse() request = Mock(path='/api/data', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it') def test_process_response_not_in_allow_all_path(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = False # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it'] settings.CORS_URLS_REGEX = '^.*$' settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$',) response = HttpResponse() request = Mock(path='/data', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed) def test_middleware_integration_get(self, settings): settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.get('/test-view/', HTTP_ORIGIN='http://foobar.it') self.assertEqual(response.status_code, 200) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it') def test_middleware_integration_get_auth_view(self, settings): """ It's not clear whether the header should still be set for non-HTTP200 when not a preflight request. However this is the existing behaviour for django-cors-middleware, so at least this test makes that explicit, especially since for the switch to Django 1.10, special-handling will need to be put in place to preserve this behaviour. See `ExceptionMiddleware` mention here: https://docs.djangoproject.com/en/1.10/topics/http/middleware/#upgrading-pre-django-1-10-style-middleware """ settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.get('/test-view-http401/', HTTP_ORIGIN='http://foobar.it') self.assertEqual(response.status_code, 401) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it') def test_middleware_integration_preflight_auth_view(self, settings): """ Ensure HTTP200 and header still set, for preflight requests to views requiring authentication. See: https://github.com/ottoyiu/django-cors-headers/issues/3 """ settings.CORS_MODEL = None settings.CORS_ORIGIN_ALLOW_ALL = True settings.CORS_URLS_REGEX = '^.*$' response = self.client.options('/test-view-http401/', HTTP_ORIGIN='http://foobar.it', HTTP_ACCESS_CONTROL_REQUEST_METHOD='value') self.assertEqual(response.status_code, 200) self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it')