def test_process_response_no_origin(self, get_settings): with override_settings(CORS_MODEL=None, CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request = Mock(path='/', META={}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)
def test_process_response_dont_allow_credentials(self, get_settings): with override_settings( CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=True, CORS_ALLOW_CREDENTIALS=False, CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed)
def test_process_response_dont_expose_headers(self, get_settings): with override_settings( CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=True, CORS_EXPOSE_HEADERS=[], CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed)
def test_process_response_not_in_whitelist(self, get_settings): with override_settings( CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=False, CORS_ORIGIN_WHITELIST=['example.com'], CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)
def test_process_response_in_whitelist(self, get_settings): with override_settings( CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=False, CORS_ORIGIN_WHITELIST=['example.com', 'foobar.it'], CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'}) processed = self.middleware.process_response(request, response) self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it')
def test_process_response_expose_headers(self, get_settings): with override_settings( CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=True, CORS_EXPOSE_HEADERS=['accept', 'origin', 'content-type'], CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS], 'accept, origin, content-type')
def test_process_response_whitelist_with_port(self, get_settings): with override_settings( CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=False, CORS_ALLOW_METHODS=['OPTIONS'], CORS_ORIGIN_WHITELIST=('localhost:9000',), CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), None)
def test_process_response_when_custom_model_enabled(self, get_settings): from corsheaders.models import CorsModel CorsModel.objects.create(cors='foo.google.com') with override_settings( CORS_ORIGIN_REGEX_WHITELIST=(), CORS_ALLOW_CREDENTIALS=False, CORS_ORIGIN_ALLOW_ALL=False, CORS_URLS_REGEX='^.*$', CORS_MODEL='corsheaders.CorsModel'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'}) processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com')
def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, get_settings): with override_settings( CORS_MODEL=None, CORS_ORIGIN_REGEX_WHITELIST=('^http?://(\w+\.)?yahoo\.com$', ), CORS_ALLOW_CREDENTIALS=True, CORS_ORIGIN_ALLOW_ALL=False, CORS_ALLOW_METHODS=['OPTIONS'], CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None)
def test_process_response_options_method_no_max_age(self, get_settings): with override_settings( CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=True, CORS_ALLOW_HEADERS=['content-type', 'origin'], CORS_ALLOW_METHODS=['GET', 'OPTIONS'], CORS_PREFLIGHT_MAX_AGE=0, CORS_URLS_REGEX='^.*$'): get_settings.return_value = CorsHeadersSettings(settings) response = HttpResponse() request_headers = {'HTTP_ORIGIN': 'http://example.com'} request = Mock(path='/', META=request_headers, method='OPTIONS') processed = self.middleware.process_response(request, response) self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS], 'content-type, origin') self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS') self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed)