def test_process_response_no_origin(self, get_settings):
with override_settings(CORS_MODEL=None, CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request = Mock(path='/', META={})
processed = self.middleware.process_response(request, response)
self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)
def test_process_response_dont_allow_credentials(self, get_settings):
with override_settings(
CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=True,
CORS_ALLOW_CREDENTIALS=False, CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})
processed = self.middleware.process_response(request, response)
self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed)
def test_process_response_dont_expose_headers(self, get_settings):
with override_settings(
CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=True,
CORS_EXPOSE_HEADERS=[], CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})
processed = self.middleware.process_response(request, response)
self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed)
def test_process_response_not_in_whitelist(self, get_settings):
with override_settings(
CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=False,
CORS_ORIGIN_WHITELIST=['example.com'], CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'})
processed = self.middleware.process_response(request, response)
self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)
def test_process_response_in_whitelist(self, get_settings):
with override_settings(
CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=False,
CORS_ORIGIN_WHITELIST=['example.com', 'foobar.it'],
CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'})
processed = self.middleware.process_response(request, response)
self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it')
def test_process_response_expose_headers(self, get_settings):
with override_settings(
CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=True,
CORS_EXPOSE_HEADERS=['accept', 'origin', 'content-type'],
CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})
processed = self.middleware.process_response(request, response)
self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS],
'accept, origin, content-type')
def test_process_response_whitelist_with_port(self, get_settings):
with override_settings(
CORS_MODEL=None,
CORS_ORIGIN_ALLOW_ALL=False,
CORS_ALLOW_METHODS=['OPTIONS'],
CORS_ORIGIN_WHITELIST=('localhost:9000',),
CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'}
request = Mock(path='/', META=request_headers, method='OPTIONS')
processed = self.middleware.process_response(request, response)
self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), None)
def test_process_response_when_custom_model_enabled(self, get_settings):
from corsheaders.models import CorsModel
CorsModel.objects.create(cors='foo.google.com')
with override_settings(
CORS_ORIGIN_REGEX_WHITELIST=(),
CORS_ALLOW_CREDENTIALS=False,
CORS_ORIGIN_ALLOW_ALL=False,
CORS_URLS_REGEX='^.*$',
CORS_MODEL='corsheaders.CorsModel'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'})
processed = self.middleware.process_response(request, response)
self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com')
def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, get_settings):
with override_settings(
CORS_MODEL=None,
CORS_ORIGIN_REGEX_WHITELIST=('^http?://(\w+\.)?yahoo\.com$', ),
CORS_ALLOW_CREDENTIALS=True,
CORS_ORIGIN_ALLOW_ALL=False,
CORS_ALLOW_METHODS=['OPTIONS'],
CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'}
request = Mock(path='/', META=request_headers, method='OPTIONS')
processed = self.middleware.process_response(request, response)
self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None)
def test_process_response_options_method_no_max_age(self, get_settings):
with override_settings(
CORS_MODEL=None, CORS_ORIGIN_ALLOW_ALL=True,
CORS_ALLOW_HEADERS=['content-type', 'origin'],
CORS_ALLOW_METHODS=['GET', 'OPTIONS'],
CORS_PREFLIGHT_MAX_AGE=0, CORS_URLS_REGEX='^.*$'):
get_settings.return_value = CorsHeadersSettings(settings)
response = HttpResponse()
request_headers = {'HTTP_ORIGIN': 'http://example.com'}
request = Mock(path='/', META=request_headers, method='OPTIONS')
processed = self.middleware.process_response(request, response)
self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS],
'content-type, origin')
self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS')
self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed)