Skip to content

Commit

Permalink
Merge pull request Cornices#320 from treerao/corsfix
Browse files Browse the repository at this point in the history
fix check for cors allow credentials
  • Loading branch information
almet committed Jul 28, 2015
2 parents d3606b9 + e3e3f09 commit f94dd6c
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 12 deletions.
3 changes: 1 addition & 2 deletions cornice/cors.py
Original file line number Diff line number Diff line change
Expand Up @@ -96,8 +96,7 @@ def ensure_origin(service, request, response=None):
for o in service.cors_origins_for(method)]):
request.errors.add('header', 'Origin',
'%s not allowed' % origin)
elif request.headers.get(
'Access-Control-Allow-Credentials', False):
elif service.cors_support_credentials_for(method):
response.headers['Access-Control-Allow-Origin'] = origin
else:
if any([o == "*" for o in service.cors_origins_for(method)]):
Expand Down
12 changes: 2 additions & 10 deletions cornice/tests/test_cors.py
Original file line number Diff line number Diff line change
Expand Up @@ -228,26 +228,18 @@ def test_resp_dont_include_allow_origin(self):
self.assertNotIn('Access-Control-Allow-Origin', resp.headers)
self.assertEqual(resp.json, 'squirels')

def test_resp_allow_origin_wildcard(self):
resp = self.app.options(
'/cors_klass',
status=200,
headers={
'Origin': 'lolnet.org',
'Access-Control-Request-Method': 'POST'})
self.assertEqual(resp.headers['Access-Control-Allow-Origin'], '*')

def test_origin_is_not_wildcard_if_allow_credentials(self):
resp = self.app.options(
'/cors_klass',
status=200,
headers={
'Origin': 'lolnet.org',
'Access-Control-Request-Method': 'POST',
'Access-Control-Allow-Credentials': 'true'
})
self.assertEqual(resp.headers['Access-Control-Allow-Origin'],
'lolnet.org')
self.assertEqual(resp.headers['Access-Control-Allow-Credentials'],
'true')

def test_responses_include_an_allow_origin_header(self):
resp = self.app.get('/squirel', headers={'Origin': 'notmyidea.org'})
Expand Down

0 comments on commit f94dd6c

Please sign in to comment.