def test_cors_adds_allow_origin_header_for_non_preflight():
request = Request.blank("/")
resp = request.get_response(wsgi_testapp)
set_cors_headers(request, resp)
assert resp.headers["Access-Control-Allow-Origin"] == "*"
def test_cors_400s_for_preflight_without_reqmethod(headers):
del headers["Access-Control-Request-Method"]
request = Request.blank("/", method="OPTIONS", headers=headers)
resp = request.get_response(wsgi_testapp)
with pytest.raises(HTTPBadRequest):
set_cors_headers(request, resp)
def test_cors_sets_allow_credentials_for_preflight_when_set(headers):
request = Request.blank("/", method="OPTIONS", headers=headers)
resp = request.get_response(wsgi_testapp)
resp = set_cors_headers(request, resp, allow_credentials=True)
assert resp.headers["Access-Control-Allow-Credentials"] == "true"
def test_cors_sets_allow_methods_OPTIONS_for_preflight(headers): # noqa
request = Request.blank("/", method="OPTIONS", headers=headers)
resp = request.get_response(wsgi_testapp)
resp = set_cors_headers(request, resp)
assert resp.headers["Access-Control-Allow-Methods"] == "OPTIONS"
def test_cors_sets_allow_origin_for_preflight(headers):
request = Request.blank("/", method="OPTIONS", headers=headers)
resp = request.get_response(wsgi_testapp)
resp = set_cors_headers(request, resp)
assert resp.headers["Access-Control-Allow-Origin"] == "http://example.com"
def test_cors_sets_max_age_for_preflight_when_set(headers):
request = Request.blank("/", method="OPTIONS", headers=headers)
resp = request.get_response(wsgi_testapp)
resp = set_cors_headers(request, resp, max_age=42)
assert resp.headers["Access-Control-Max-Age"] == "42"
def test_cors_sets_allow_headers_for_preflight_when_set(headers):
request = Request.blank("/", method="OPTIONS", headers=headers)
resp = request.get_response(wsgi_testapp)
resp = set_cors_headers(request, resp, allow_headers=("Foo", "X-Bar"))
values = resp.headers["Access-Control-Allow-Headers"].split(", ")
assert sorted(values) == ["Foo", "X-Bar"]
def test_cors_sets_allow_methods_for_preflight(headers):
request = Request.blank("/", method="OPTIONS", headers=headers)
resp = request.get_response(wsgi_testapp)
resp = set_cors_headers(request, resp, allow_methods=("PUT", "DELETE"))
values = resp.headers["Access-Control-Allow-Methods"].split(", ")
assert sorted(values) == ["DELETE", "OPTIONS", "PUT"]
def test_cors_passes_through_non_preflight():
request = Request.blank("/")
resp = request.get_response(wsgi_testapp)
resp = set_cors_headers(request, resp)
assert resp.body == "OK"
assert resp.status_code == 200
def test_cors_does_nothing_if_already_processing_an_exception_view(headers):
# Normally when a Pyramid view or view decorator raises an exception
# Pyramid searches for a matching exception view and invokes it -
# exception views "catch" exceptions raised during view processing.
#
# But if an *exception view* or a view decorator applied to an exception
# view raises an exeption then Pyramid just crashes. Exception views can't
# catch exceptions raised by exception views as that could create an
# infinite loop.
#
# So the set_cors_headers() function, which is part of the cors_policy view
# decorator, can't raise exception when it's being used to decorate an
# exception view or Pyramid will crash.
request = Request.blank("/", method="OPTIONS", headers=headers)
request.exception = HTTPBadRequest()
resp = request.get_response(wsgi_testapp)
resp = set_cors_headers(request, resp)
assert "Access-Control-Allow-Origin" not in resp.headers
