def test_cors_allow_methods(self, number, data): resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN}) assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'OPTIONS'}) resp = self.options(self.USER_API_URL, headers={ 'HTTP_ORIGIN': FOO_DOMAIN, 'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'GET' }) assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'GET'}) resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN}) assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'OPTIONS'}) resp = self.options(self.USER_API_URL, headers={ 'HTTP_ORIGIN': BAR_DOMAIN, 'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'POST' }) assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'POST'}) resp = self.options(self.USER_API_URL) assert_false(ACCESS_CONTROL_ALLOW_METHODS in resp)
def test_cors_allow_headers(self, number, data): resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN}) assert_equal(resp[ACCESS_CONTROL_ALLOW_HEADERS], ', '.join(('X-Base', 'X-Offset', 'X-Fields', 'Origin', 'Content-Type', 'Accept'))) resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN}) assert_equal(resp[ACCESS_CONTROL_ALLOW_HEADERS], ', '.join(('X-Base', 'X-Offset', 'X-Fields', 'Origin', 'Content-Type', 'Accept'))) resp = self.options(self.USER_API_URL) assert_false(ACCESS_CONTROL_ALLOW_HEADERS in resp)
def test_option_with_turned_on_cors_headers_is_included_with_valid_origin( self, number, data): resp = self.options(self.USER_API_URL) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN)) assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS)) assert_true(resp.has_header(ACCESS_CONTROL_MAX_AGE)) resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN}) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN)) assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS)) assert_true(resp.has_header(ACCESS_CONTROL_MAX_AGE)) resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN}) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN)) assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS))
def test_with_turned_on_cors_headers_is_included_with_valid_origin(self, number, data): resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN}) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN)) assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS)) assert_true(resp.has_header(ACCESS_CONTROL_MAX_AGE)) resp = self.get(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN}) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN)) assert_true(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS)) assert_true(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS)) assert_true(resp.has_header(ACCESS_CONTROL_MAX_AGE))
def test_cors_allow_methods(self, number, data): resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN}) assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'OPTIONS'}) resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN, 'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'GET'}) assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'GET'}) resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN}) assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'OPTIONS'}) resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN, 'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'POST'}) assert_equal(set(resp[ACCESS_CONTROL_ALLOW_METHODS].split(', ')), {'POST'}) resp = self.options(self.USER_API_URL) assert_false(ACCESS_CONTROL_ALLOW_METHODS in resp)
def test_cors_allow_headers(self, number, data): resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': FOO_DOMAIN}) assert_equal( resp[ACCESS_CONTROL_ALLOW_HEADERS], ', '.join( ('X-Base', 'X-Offset', 'X-Fields', 'Origin', 'Content-Type', 'Accept'))) resp = self.options(self.USER_API_URL, headers={'HTTP_ORIGIN': BAR_DOMAIN}) assert_equal( resp[ACCESS_CONTROL_ALLOW_HEADERS], ', '.join( ('X-Base', 'X-Offset', 'X-Fields', 'Origin', 'Content-Type', 'Accept'))) resp = self.options(self.USER_API_URL) assert_false(ACCESS_CONTROL_ALLOW_HEADERS in resp)
def test_with_turned_off_cors_headers_is_not_included(self, number, data): resp = self.options(self.USER_API_URL) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN)) assert_false(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS)) assert_false(resp.has_header(ACCESS_CONTROL_MAX_AGE)) resp = self.get(self.USER_API_URL) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_ORIGIN)) assert_false(resp.has_header(ACCESS_CONTROL_EXPOSE_HEADERS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_CREDENTIALS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_HEADERS)) assert_false(resp.has_header(ACCESS_CONTROL_ALLOW_METHODS)) assert_false(resp.has_header(ACCESS_CONTROL_MAX_AGE))