diff options
-rw-r--r-- | oslo_middleware/cors.py | 2 | ||||
-rw-r--r-- | oslo_middleware/tests/test_cors.py | 35 |
2 files changed, 37 insertions, 0 deletions
diff --git a/oslo_middleware/cors.py b/oslo_middleware/cors.py index f55c672..21ce94c 100644 --- a/oslo_middleware/cors.py +++ b/oslo_middleware/cors.py @@ -63,6 +63,8 @@ class CORS(base.ConfigurableMiddleware): """ simple_headers = [ + 'Accept', + 'Accept-Language', 'Content-Type', 'Cache-Control', 'Content-Language', diff --git a/oslo_middleware/tests/test_cors.py b/oslo_middleware/tests/test_cors.py index f1fa150..196e302 100644 --- a/oslo_middleware/tests/test_cors.py +++ b/oslo_middleware/tests/test_cors.py @@ -586,6 +586,41 @@ class CORSPreflightRequestTest(CORSTestBase): allow_credentials=None, expose_headers=None) + def test_simple_header_response(self): + """CORS Specification Section 3 + + A header is said to be a simple header if the header field name is an + ASCII case-insensitive match for Accept, Accept-Language, or + Content-Language or if it is an ASCII case-insensitive match for + Content-Type and the header field value media type (excluding + parameters) is an ASCII case-insensitive match for + application/x-www-form-urlencoded, multipart/form-data, or text/plain. + + NOTE: We are not testing the media type cases. + """ + + simple_headers = ','.join([ + 'accept', + 'accept-language', + 'content-language', + 'content-type' + ]) + + request = webob.Request.blank('/') + request.method = "OPTIONS" + request.headers['Origin'] = 'http://valid.example.com' + request.headers['Access-Control-Request-Method'] = 'GET' + request.headers['Access-Control-Request-Headers'] = simple_headers + response = request.get_response(self.application) + self.assertCORSResponse(response, + status='200 OK', + allow_origin='http://valid.example.com', + max_age=None, + allow_methods='GET', + allow_headers=simple_headers, + allow_credentials=None, + expose_headers=None) + def test_no_request_method(self): """CORS Specification Section 6.2.3 |