diff options
author | Tim Burke <tim.burke@gmail.com> | 2022-03-09 22:18:49 -0800 |
---|---|---|
committer | Tim Burke <tim.burke@gmail.com> | 2022-03-09 22:18:55 -0800 |
commit | bab7f93223ae5c4721ba8a224cc12ec05bcac8bf (patch) | |
tree | 08d14d87162b5257abee10644461fd294977e88f /test/unit/proxy | |
parent | 3ff3076ce6648937993e90334b7a9f532b06806c (diff) | |
download | swift-bab7f93223ae5c4721ba8a224cc12ec05bcac8bf.tar.gz |
cors: Include `Vary: Origin` when using the request's Origin
Otherwise, multiple frontends attempting to use the same data may get
denials because the browser served a cached response from when it used a
different origin.
Change-Id: I6ec8b8ceb8c6a58e74772e57e6fe5700f6ff8db1
Diffstat (limited to 'test/unit/proxy')
-rw-r--r-- | test/unit/proxy/test_server.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py index 4249c41c2..5158a09cc 100644 --- a/test/unit/proxy/test_server.py +++ b/test/unit/proxy/test_server.py @@ -6484,6 +6484,7 @@ class TestReplicatedObjectController( self.assertEqual(200, resp.status_int) self.assertEqual('http://foo.bar', resp.headers['access-control-allow-origin']) + self.assertEqual('Origin', resp.headers['vary']) self.assertEqual('red', resp.headers['x-object-meta-color']) # X-Super-Secret is in the response, but not "exposed" self.assertEqual('hush', resp.headers['x-super-secret']) @@ -6506,6 +6507,7 @@ class TestReplicatedObjectController( self.assertEqual(200, resp.status_int) self.assertEqual('*', resp.headers['access-control-allow-origin']) + self.assertNotIn('vary', resp.headers) # test allow_origin empty container_cors = {'allow_origin': ''} @@ -6514,6 +6516,7 @@ class TestReplicatedObjectController( self.assertEqual(200, resp.status_int) self.assertEqual('http://foo.bar', resp.headers['access-control-allow-origin']) + self.assertEqual('Origin', resp.headers['vary']) def test_CORS_valid_strict(self): # test expose_headers to non-allowed origins @@ -6535,6 +6538,7 @@ class TestReplicatedObjectController( self.assertEqual(200, resp.status_int) self.assertEqual('*', resp.headers['access-control-allow-origin']) + self.assertNotIn('vary', resp.headers) self.assertEqual('red', resp.headers['x-object-meta-color']) # X-Super-Secret is in the response, but not "exposed" self.assertEqual('hush', resp.headers['x-super-secret']) @@ -6554,6 +6558,7 @@ class TestReplicatedObjectController( container_cors=container_cors, strict_mode=True) self.assertNotIn('access-control-expose-headers', resp.headers) self.assertNotIn('access-control-allow-origin', resp.headers) + self.assertNotIn('vary', resp.headers) # test proxy server cors_allow_origin option self.app.cors_allow_origin = ['http://foo.bar'] @@ -6561,6 +6566,7 @@ class TestReplicatedObjectController( container_cors=container_cors, strict_mode=True) self.assertEqual('http://foo.bar', resp.headers['access-control-allow-origin']) + self.assertEqual('Origin', resp.headers['vary']) self.assertEqual(expected_exposed, exposed) def test_CORS_valid_with_obj_headers(self): |