diff options
| author | Michael Krotscheck <krotscheck@gmail.com> | 2015-08-18 18:50:22 -0700 |
|---|---|---|
| committer | Michael Krotscheck <krotscheck@gmail.com> | 2015-08-20 07:56:28 -0700 |
| commit | b9b1f584f223f59feec18a37d6e8c45a841ab579 (patch) | |
| tree | 18a7e1752445cc5adde674ac7b3b10215822a9fd | |
| parent | c78b156723cb4895be2ee0a55e4b9d9726b5b1c1 (diff) | |
| download | oslo-middleware-b9b1f584f223f59feec18a37d6e8c45a841ab579.tar.gz | |
Added new test for CORS Simple Headers2.6.1
It turns out that the simple header list outlined by the CORS
specification includes additional headers that were missed
during the initial implementation. This patch adds those
headers, and includes a test to enforce it moving forward.
Change-Id: I06f28102d1fa59d7c647fd08d69ea60e277a653f
| -rw-r--r-- | oslo_middleware/cors.py | 2 | ||||
| -rw-r--r-- | oslo_middleware/tests/test_cors.py | 35 |
2 files changed, 37 insertions, 0 deletions
diff --git a/oslo_middleware/cors.py b/oslo_middleware/cors.py index f55c672..21ce94c 100644 --- a/oslo_middleware/cors.py +++ b/oslo_middleware/cors.py @@ -63,6 +63,8 @@ class CORS(base.ConfigurableMiddleware): """ simple_headers = [ + 'Accept', + 'Accept-Language', 'Content-Type', 'Cache-Control', 'Content-Language', diff --git a/oslo_middleware/tests/test_cors.py b/oslo_middleware/tests/test_cors.py index f1fa150..196e302 100644 --- a/oslo_middleware/tests/test_cors.py +++ b/oslo_middleware/tests/test_cors.py @@ -586,6 +586,41 @@ class CORSPreflightRequestTest(CORSTestBase): allow_credentials=None, expose_headers=None) + def test_simple_header_response(self): + """CORS Specification Section 3 + + A header is said to be a simple header if the header field name is an + ASCII case-insensitive match for Accept, Accept-Language, or + Content-Language or if it is an ASCII case-insensitive match for + Content-Type and the header field value media type (excluding + parameters) is an ASCII case-insensitive match for + application/x-www-form-urlencoded, multipart/form-data, or text/plain. + + NOTE: We are not testing the media type cases. + """ + + simple_headers = ','.join([ + 'accept', + 'accept-language', + 'content-language', + 'content-type' + ]) + + request = webob.Request.blank('/') + request.method = "OPTIONS" + request.headers['Origin'] = 'http://valid.example.com' + request.headers['Access-Control-Request-Method'] = 'GET' + request.headers['Access-Control-Request-Headers'] = simple_headers + response = request.get_response(self.application) + self.assertCORSResponse(response, + status='200 OK', + allow_origin='http://valid.example.com', + max_age=None, + allow_methods='GET', + allow_headers=simple_headers, + allow_credentials=None, + expose_headers=None) + def test_no_request_method(self): """CORS Specification Section 6.2.3 |