(
test_client_factory: TestClientFactory,
)
| 169 | |
| 170 | |
| 171 | def test_cors_disallowed_preflight( |
| 172 | test_client_factory: TestClientFactory, |
| 173 | ) -> None: |
| 174 | def homepage(request: Request) -> None: |
| 175 | pass # pragma: no cover |
| 176 | |
| 177 | app = Starlette( |
| 178 | routes=[Route("/", endpoint=homepage)], |
| 179 | middleware=[ |
| 180 | Middleware( |
| 181 | CORSMiddleware, |
| 182 | allow_origins=["https://example.org"], |
| 183 | allow_headers=["X-Example"], |
| 184 | ) |
| 185 | ], |
| 186 | ) |
| 187 | |
| 188 | client = test_client_factory(app) |
| 189 | |
| 190 | # Test pre-flight response |
| 191 | headers = { |
| 192 | "Origin": "https://another.org", |
| 193 | "Access-Control-Request-Method": "POST", |
| 194 | "Access-Control-Request-Headers": "X-Nope", |
| 195 | } |
| 196 | response = client.options("/", headers=headers) |
| 197 | assert response.status_code == 400 |
| 198 | assert response.text == "Disallowed CORS origin, method, headers" |
| 199 | assert "access-control-allow-origin" not in response.headers |
| 200 | |
| 201 | # Bug specific test, https://github.com/Kludex/starlette/pull/1199 |
| 202 | # Test preflight response text with multiple disallowed headers |
| 203 | headers = { |
| 204 | "Origin": "https://example.org", |
| 205 | "Access-Control-Request-Method": "GET", |
| 206 | "Access-Control-Request-Headers": "X-Nope-1, X-Nope-2", |
| 207 | } |
| 208 | response = client.options("/", headers=headers) |
| 209 | assert response.text == "Disallowed CORS headers" |
| 210 | |
| 211 | |
| 212 | def test_preflight_allows_request_origin_if_origins_wildcard_and_credentials_allowed( |
nothing calls this directly
no test coverage detected