MCPcopy
hub / github.com/encode/starlette / test_cors_disallowed_preflight

Function test_cors_disallowed_preflight

tests/middleware/test_cors.py:171–209  ·  view source on GitHub ↗
(
    test_client_factory: TestClientFactory,
)

Source from the content-addressed store, hash-verified

169
170
171def test_cors_disallowed_preflight(
172 test_client_factory: TestClientFactory,
173) -> None:
174 def homepage(request: Request) -> None:
175 pass # pragma: no cover
176
177 app = Starlette(
178 routes=[Route("/", endpoint=homepage)],
179 middleware=[
180 Middleware(
181 CORSMiddleware,
182 allow_origins=["https://example.org"],
183 allow_headers=["X-Example"],
184 )
185 ],
186 )
187
188 client = test_client_factory(app)
189
190 # Test pre-flight response
191 headers = {
192 "Origin": "https://another.org",
193 "Access-Control-Request-Method": "POST",
194 "Access-Control-Request-Headers": "X-Nope",
195 }
196 response = client.options("/", headers=headers)
197 assert response.status_code == 400
198 assert response.text == "Disallowed CORS origin, method, headers"
199 assert "access-control-allow-origin" not in response.headers
200
201 # Bug specific test, https://github.com/Kludex/starlette/pull/1199
202 # Test preflight response text with multiple disallowed headers
203 headers = {
204 "Origin": "https://example.org",
205 "Access-Control-Request-Method": "GET",
206 "Access-Control-Request-Headers": "X-Nope-1, X-Nope-2",
207 }
208 response = client.options("/", headers=headers)
209 assert response.text == "Disallowed CORS headers"
210
211
212def test_preflight_allows_request_origin_if_origins_wildcard_and_credentials_allowed(

Callers

nothing calls this directly

Calls 5

StarletteClass · 0.90
RouteClass · 0.90
MiddlewareClass · 0.90
test_client_factoryFunction · 0.85
optionsMethod · 0.80

Tested by

no test coverage detected