diff --git a/cornice/cors.py b/cornice/cors.py index 77311661..b27a91e3 100644 --- a/cornice/cors.py +++ b/cornice/cors.py @@ -96,8 +96,7 @@ def ensure_origin(service, request, response=None): for o in service.cors_origins_for(method)]): request.errors.add('header', 'Origin', '%s not allowed' % origin) - elif request.headers.get( - 'Access-Control-Allow-Credentials', False): + elif service.cors_support_credentials_for(method): response.headers['Access-Control-Allow-Origin'] = origin else: if any([o == "*" for o in service.cors_origins_for(method)]): diff --git a/cornice/tests/test_cors.py b/cornice/tests/test_cors.py index dd126d38..bcb755e6 100644 --- a/cornice/tests/test_cors.py +++ b/cornice/tests/test_cors.py @@ -228,15 +228,6 @@ def test_resp_dont_include_allow_origin(self): self.assertNotIn('Access-Control-Allow-Origin', resp.headers) self.assertEqual(resp.json, 'squirels') - def test_resp_allow_origin_wildcard(self): - resp = self.app.options( - '/cors_klass', - status=200, - headers={ - 'Origin': 'lolnet.org', - 'Access-Control-Request-Method': 'POST'}) - self.assertEqual(resp.headers['Access-Control-Allow-Origin'], '*') - def test_origin_is_not_wildcard_if_allow_credentials(self): resp = self.app.options( '/cors_klass', @@ -244,10 +235,11 @@ def test_origin_is_not_wildcard_if_allow_credentials(self): headers={ 'Origin': 'lolnet.org', 'Access-Control-Request-Method': 'POST', - 'Access-Control-Allow-Credentials': 'true' }) self.assertEqual(resp.headers['Access-Control-Allow-Origin'], 'lolnet.org') + self.assertEqual(resp.headers['Access-Control-Allow-Credentials'], + 'true') def test_responses_include_an_allow_origin_header(self): resp = self.app.get('/squirel', headers={'Origin': 'notmyidea.org'})