def test_process_request_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: False request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'http://foo.google.com', } # test that we won't replace if the request is not secure with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/') request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } # test that we won't replace with the setting off with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*'): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') # make sure the replace code is idempotent with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_view(request, None, None, None) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): post_middleware.process_request(request) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): response = post_middleware.process_request(request) self.assertIsNone(response)
def test_process_view_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_view(request, None, None, None) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): post_middleware.process_view(request, None, None, None) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): response = post_middleware.process_view(request, None, None, None) self.assertIsNone(response)
def test_process_view_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } with override_settings(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_view(request, None, None, None) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') with override_settings(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): post_middleware.process_view(request, None, None, None) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with override_settings(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): response = post_middleware.process_view(request, None, None, None) self.assertIsNone(response)
def test_process_view_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = self.req_factory.get( '/', HTTP_FAKE_SECURE='true', HTTP_HOST='foobar.com', HTTP_ORIGIN='https://foo.google.com', HTTP_REFERER='https://foo.google.com/', ) response = self.middleware.process_view(request, None, None, None) assert response is None assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' post_middleware.process_view(request, None, None, None) assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = post_middleware.process_view(request, None, None, None) assert response is None
def test_process_view_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } response = self.middleware.process_view(request, None, None, None) assert response is None assert request.META[ 'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' post_middleware.process_view(request, None, None, None) assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = post_middleware.process_view(request, None, None, None) assert response is None
def test_process_request_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True # make sure it doesnt blow up when HTTP_REFERER is not present request.META = { 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } response = self.middleware.process_request(request) assert response is None # make sure it doesnt blow up when HTTP_HOST is not present request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_ORIGIN': 'https://foo.google.com', } response = self.middleware.process_request(request) assert response is None request.is_secure = lambda: False request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'http://foo.google.com', } # test that we won't replace if the request is not secure response = self.middleware.process_request(request) assert response is None assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'http://foo.google.com/' request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } # test that we won't replace with the setting off with override_settings(CORS_REPLACE_HTTPS_REFERER=False): response = self.middleware.process_request(request) assert response is None assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = self.middleware.process_request(request) assert response is None assert request.META[ 'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' # make sure the replace code is idempotent response = self.middleware.process_view(request, None, None, None) assert response is None assert request.META[ 'ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' post_middleware.process_request(request) assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = post_middleware.process_request(request) assert response is None
def test_process_request_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() request = Mock(path='/') request.method = 'GET' request.is_secure = lambda: True # make sure it doesnt blow up when HTTP_REFERER is not present request.META = { 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) # make sure it doesnt blow up when HTTP_HOST is not present request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_ORIGIN': 'https://foo.google.com', } with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) request.is_secure = lambda: False request.META = { 'HTTP_REFERER': 'http://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'http://foo.google.com', } # test that we won't replace if the request is not secure with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/') request.is_secure = lambda: True request.META = { 'HTTP_REFERER': 'https://foo.google.com/', 'HTTP_HOST': 'foobar.com', 'HTTP_ORIGIN': 'https://foo.google.com', } # test that we won't replace with the setting off with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*'): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_request(request) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') # make sure the replace code is idempotent with settings_override(CORS_URLS_REGEX='^.*$', CORS_ORIGIN_REGEX_WHITELIST='.*google.*', CORS_REPLACE_HTTPS_REFERER=True): response = self.middleware.process_view(request, None, None, None) self.assertIsNone(response) self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/') self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): post_middleware.process_request(request) self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META) self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/') with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True): response = post_middleware.process_request(request) self.assertIsNone(response)
def test_process_request_replace_https_referer(self): post_middleware = CorsPostCsrfMiddleware() # make sure it doesnt blow up when HTTP_REFERER is not present request = self.req_factory.get( '/', HTTP_FAKE_SECURE='true', HTTP_HOST='foobar.com', HTTP_ORIGIN='https://foo.google.com', ) response = self.middleware.process_request(request) assert response is None # make sure it doesnt blow up when HTTP_HOST is not present request = self.req_factory.get( '/', HTTP_FAKE_SECURE='true', HTTP_ORIGIN='https://foo.google.com', HTTP_REFERER='http://foo.google.com/', ) response = self.middleware.process_request(request) assert response is None # test that we won't replace if the request is not secure request = self.req_factory.get( '/', HTTP_HOST='foobar.com', HTTP_ORIGIN='http://foo.google.com', HTTP_REFERER='http://foo.google.com/', ) response = self.middleware.process_request(request) assert response is None assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'http://foo.google.com/' # test that we won't replace with the setting off request = self.req_factory.get( '/', HTTP_FAKE_SECURE='true', HTTP_HOST='foobar.com', HTTP_ORIGIN='https://foo.google.com', HTTP_REFERER='https://foo.google.com/', ) with override_settings(CORS_REPLACE_HTTPS_REFERER=False): response = self.middleware.process_request(request) assert response is None assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = self.middleware.process_request(request) assert response is None assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' # make sure the replace code is idempotent response = self.middleware.process_view(request, None, None, None) assert response is None assert request.META['ORIGINAL_HTTP_REFERER'] == 'https://foo.google.com/' assert request.META['HTTP_REFERER'] == 'https://foobar.com/' post_middleware.process_request(request) assert 'ORIGINAL_HTTP_REFERER' not in request.META assert request.META['HTTP_REFERER'] == 'https://foo.google.com/' response = post_middleware.process_request(request) assert response is None