class TestCorsMiddlewareProcessRequest(TestCase):
def setUp(self):
self.middleware = CorsMiddleware()
def test_process_request(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}
with settings_override(CORS_URLS_REGEX='^.*$'):
response = self.middleware.process_request(request)
self.assertIsInstance(response, HttpResponse)
def test_process_request_empty_header(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''}
with settings_override(CORS_URLS_REGEX='^.*$'):
response = self.middleware.process_request(request)
self.assertIsInstance(response, HttpResponse)
def test_process_request_no_header(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {}
response = self.middleware.process_request(request)
self.assertIsNone(response)
def test_process_request_not_options(self):
request = Mock(path='/')
request.method = 'GET'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}
response = self.middleware.process_request(request)
self.assertIsNone(response)
def test_process_request_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: False
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'http://foo.google.com',
}
# test that we won't replace if the request is not secure
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/')
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
# test that we won't replace with the setting off
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*'):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
# make sure the replace code is idempotent
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_view(request, None, None, None)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
post_middleware.process_request(request)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
response = post_middleware.process_request(request)
self.assertIsNone(response)
def test_process_view_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_view(request, None, None, None)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
post_middleware.process_view(request, None, None, None)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
response = post_middleware.process_view(request, None, None, None)
self.assertIsNone(response)
class TestCorsMiddlewareProcessRequest(TestCase):
def setUp(self):
self.middleware = CorsMiddleware()
def test_process_request(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}
with settings_override(CORS_URLS_REGEX='^.*$'):
response = self.middleware.process_request(request)
self.assertIsInstance(response, HttpResponse)
def test_process_request_empty_header(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''}
with settings_override(CORS_URLS_REGEX='^.*$'):
response = self.middleware.process_request(request)
self.assertIsInstance(response, HttpResponse)
def test_process_request_no_header(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {}
response = self.middleware.process_request(request)
self.assertIsNone(response)
def test_process_request_not_options(self):
request = Mock(path='/')
request.method = 'GET'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}
response = self.middleware.process_request(request)
self.assertIsNone(response)
def test_process_request_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
# make sure it doesnt blow up when HTTP_REFERER is not present
request.META = {
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
# make sure it doesnt blow up when HTTP_HOST is not present
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_ORIGIN': 'https://foo.google.com',
}
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
request.is_secure = lambda: False
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'http://foo.google.com',
}
# test that we won't replace if the request is not secure
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/')
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
# test that we won't replace with the setting off
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*'):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_request(request)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
# make sure the replace code is idempotent
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_view(request, None, None, None)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
post_middleware.process_request(request)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
response = post_middleware.process_request(request)
self.assertIsNone(response)
def test_process_view_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
with settings_override(CORS_URLS_REGEX='^.*$',
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True):
response = self.middleware.process_view(request, None, None, None)
self.assertIsNone(response)
self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')
self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
post_middleware.process_view(request, None, None, None)
self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)
self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')
with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):
response = post_middleware.process_view(request, None, None, None)
self.assertIsNone(response)
class TestCorsMiddlewareProcessRequest(TestCase):
def setUp(self):
self.middleware = CorsMiddleware()
def test_process_request(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}
response = self.middleware.process_request(request)
assert isinstance(response, HttpResponse)
def test_process_request_empty_header(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''}
response = self.middleware.process_request(request)
assert isinstance(response, HttpResponse)
def test_process_request_no_header(self):
request = Mock(path='/')
request.method = 'OPTIONS'
request.META = {}
response = self.middleware.process_request(request)
assert response is None
def test_process_request_not_options(self):
request = Mock(path='/')
request.method = 'GET'
request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}
response = self.middleware.process_request(request)
assert response is None
@override_settings(
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True,
)
def test_process_request_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
# make sure it doesnt blow up when HTTP_REFERER is not present
request.META = {
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
response = self.middleware.process_request(request)
assert response is None
# make sure it doesnt blow up when HTTP_HOST is not present
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_ORIGIN': 'https://foo.google.com',
}
response = self.middleware.process_request(request)
assert response is None
request.is_secure = lambda: False
request.META = {
'HTTP_REFERER': 'http://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'http://foo.google.com',
}
# test that we won't replace if the request is not secure
response = self.middleware.process_request(request)
assert response is None
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'http://foo.google.com/'
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
# test that we won't replace with the setting off
with override_settings(CORS_REPLACE_HTTPS_REFERER=False):
response = self.middleware.process_request(request)
assert response is None
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = self.middleware.process_request(request)
assert response is None
assert request.META[
'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
# make sure the replace code is idempotent
response = self.middleware.process_view(request, None, None, None)
assert response is None
assert request.META[
'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
post_middleware.process_request(request)
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = post_middleware.process_request(request)
assert response is None
@override_settings(
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True,
)
def test_process_view_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = Mock(path='/')
request.method = 'GET'
request.is_secure = lambda: True
request.META = {
'HTTP_REFERER': 'https://foo.google.com/',
'HTTP_HOST': 'foobar.com',
'HTTP_ORIGIN': 'https://foo.google.com',
}
response = self.middleware.process_view(request, None, None, None)
assert response is None
assert request.META[
'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
post_middleware.process_view(request, None, None, None)
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = post_middleware.process_view(request, None, None, None)
assert response is None
class TestCorsMiddlewareProcessRequest(TestCase):
req_factory = RequestFactory()
def setUp(self):
self.middleware = CorsMiddleware()
def test_process_request(self):
request = self.req_factory.options(
'/',
HTTP_ACCESS_CONTROL_REQUEST_METHOD='value',
)
response = self.middleware.process_request(request)
assert isinstance(response, HttpResponse)
def test_process_request_empty_header(self):
request = self.req_factory.options(
'/',
HTTP_ACCESS_CONTROL_REQUEST_METHOD='',
)
response = self.middleware.process_request(request)
assert isinstance(response, HttpResponse)
def test_process_request_no_header(self):
request = self.req_factory.options('/')
response = self.middleware.process_request(request)
assert response is None
def test_process_request_not_options(self):
request = self.req_factory.get(
'/',
HTTP_ACCESS_CONTROL_REQUEST_METHOD='value',
)
response = self.middleware.process_request(request)
assert response is None
@override_settings(
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True,
SECURE_PROXY_SSL_HEADER=('HTTP_FAKE_SECURE', 'true'),
)
def test_process_request_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
# make sure it doesnt blow up when HTTP_REFERER is not present
request = self.req_factory.get(
'/',
HTTP_FAKE_SECURE='true',
HTTP_HOST='foobar.com',
HTTP_ORIGIN='https://foo.google.com',
)
response = self.middleware.process_request(request)
assert response is None
# make sure it doesnt blow up when HTTP_HOST is not present
request = self.req_factory.get(
'/',
HTTP_FAKE_SECURE='true',
HTTP_ORIGIN='https://foo.google.com',
HTTP_REFERER='http://foo.google.com/',
)
response = self.middleware.process_request(request)
assert response is None
# test that we won't replace if the request is not secure
request = self.req_factory.get(
'/',
HTTP_HOST='foobar.com',
HTTP_ORIGIN='http://foo.google.com',
HTTP_REFERER='http://foo.google.com/',
)
response = self.middleware.process_request(request)
assert response is None
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'http://foo.google.com/'
# test that we won't replace with the setting off
request = self.req_factory.get(
'/',
HTTP_FAKE_SECURE='true',
HTTP_HOST='foobar.com',
HTTP_ORIGIN='https://foo.google.com',
HTTP_REFERER='https://foo.google.com/',
)
with override_settings(CORS_REPLACE_HTTPS_REFERER=False):
response = self.middleware.process_request(request)
assert response is None
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = self.middleware.process_request(request)
assert response is None
assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
# make sure the replace code is idempotent
response = self.middleware.process_view(request, None, None, None)
assert response is None
assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
post_middleware.process_request(request)
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = post_middleware.process_request(request)
assert response is None
@override_settings(
CORS_ORIGIN_REGEX_WHITELIST='.*google.*',
CORS_REPLACE_HTTPS_REFERER=True,
SECURE_PROXY_SSL_HEADER=('HTTP_FAKE_SECURE', 'true'),
)
def test_process_view_replace_https_referer(self):
post_middleware = CorsPostCsrfMiddleware()
request = self.req_factory.get(
'/',
HTTP_FAKE_SECURE='true',
HTTP_HOST='foobar.com',
HTTP_ORIGIN='https://foo.google.com',
HTTP_REFERER='https://foo.google.com/',
)
response = self.middleware.process_view(request, None, None, None)
assert response is None
assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/'
assert request.META['HTTP_REFERER'] == 'https://foobar.com/'
post_middleware.process_view(request, None, None, None)
assert 'ORIGINAL_HTTP_REFERER' not in request.META
assert request.META['HTTP_REFERER'] == 'https://foo.google.com/'
response = post_middleware.process_view(request, None, None, None)
assert response is None
