Exemple #1
0
 def test_defaults_sameorigin(self):
     """
     Tests that if the X_FRAME_OPTIONS setting is not set then it defaults
     to SAMEORIGIN.
     """
     with override_settings(X_FRAME_OPTIONS=None):
         del settings.X_FRAME_OPTIONS    # restored by override_settings
         r = XFrameOptionsMiddleware().process_response(HttpRequest(),
                                                        HttpResponse())
         self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
Exemple #2
0
    def test_response_exempt(self):
        """
        If the response has an xframe_options_exempt attribute set to False
        then it still sets the header, but if it's set to True then it doesn't.
        """
        def xframe_exempt_response(request):
            response = HttpResponse()
            response.xframe_options_exempt = True
            return response

        def xframe_not_exempt_response(request):
            response = HttpResponse()
            response.xframe_options_exempt = False
            return response

        with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
            r = XFrameOptionsMiddleware(xframe_not_exempt_response)(HttpRequest())
            self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')

            r = XFrameOptionsMiddleware(xframe_exempt_response)(HttpRequest())
            self.assertIsNone(r.headers.get('X-Frame-Options'))
Exemple #3
0
    def test_dont_set_if_set(self):
        """
        If the X-Frame-Options header is already set then the middleware does
        not attempt to override it.
        """
        def same_origin_response(request):
            response = HttpResponse()
            response.headers['X-Frame-Options'] = 'SAMEORIGIN'
            return response

        def deny_response(request):
            response = HttpResponse()
            response.headers['X-Frame-Options'] = 'DENY'
            return response

        with override_settings(X_FRAME_OPTIONS='DENY'):
            r = XFrameOptionsMiddleware(same_origin_response)(HttpRequest())
            self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')

        with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
            r = XFrameOptionsMiddleware(deny_response)(HttpRequest())
            self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
Exemple #4
0
    def test_exempt_decorator(self):
        """
        Ensures @xframe_options_exempt properly instructs the
        XFrameOptionsMiddleware to NOT set the header.
        """
        @xframe_options_exempt
        def a_view(request):
            return HttpResponse()
        req = HttpRequest()
        resp = a_view(req)
        self.assertIsNone(resp.get('X-Frame-Options', None))
        self.assertTrue(resp.xframe_options_exempt)

        # Since the real purpose of the exempt decorator is to suppress
        # the middleware's functionality, let's make sure it actually works...
        r = XFrameOptionsMiddleware().process_response(req, resp)
        self.assertIsNone(r.get('X-Frame-Options', None))