Commit cc774252 authored by alexpott's avatar alexpott
Browse files

Issue #2850034 by hampercm, dawehner, Wim Leers: CORS allow-origin '*' not...

Issue #2850034 by hampercm, dawehner, Wim Leers: CORS allow-origin '*' not possible because of cached headers
parent 631e8d84
......@@ -733,7 +733,7 @@ services:
class: Asm89\Stack\Cors
arguments: ['%cors.config%']
tags:
- { name: http_middleware }
- { name: http_middleware, priority: 250 }
psr7.http_foundation_factory:
class: Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory
psr7.http_message_factory:
......
<?php
namespace Drupal\KernelTests\Core\HttpKernel;
namespace Drupal\FunctionalTests\HttpKernel;
use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\Core\DependencyInjection\ServiceModifierInterface;
use Drupal\KernelTests\KernelTestBase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Drupal\Tests\BrowserTestBase;
/**
* Tests CORS provided by Drupal.
......@@ -17,29 +13,14 @@
*
* @group Http
*/
class CorsIntegrationTest extends KernelTestBase implements ServiceModifierInterface {
/**
* The cors container configuration.
*
* @var null|array
*/
protected $corsConfig = NULL;
class CorsIntegrationTest extends BrowserTestBase {
/**
* {@inheritdoc}
*/
public static $modules = ['system', 'test_page_test'];
protected function setUp() {
parent::setUp();
$this->installSchema('system', 'router');
\Drupal::service('router.builder')->rebuild();
}
public static $modules = ['system', 'test_page_test', 'page_cache'];
public function testCrossSiteRequest() {
// Test default parameters.
$cors_config = $this->container->getParameter('cors.config');
$this->assertSame(FALSE, $cors_config['enabled']);
......@@ -51,34 +32,46 @@ public function testCrossSiteRequest() {
$this->assertSame(FALSE, $cors_config['maxAge']);
$this->assertSame(FALSE, $cors_config['supportsCredentials']);
// Configure the CORS stack to allow a specific set of origins, but don't
// specify an origin header.
$request = Request::create('/test-page');
$request->headers->set('Origin', '');
// Enable CORS with the default options.
$cors_config['enabled'] = TRUE;
$this->setContainerParameter('cors.config', $cors_config);
$this->rebuildContainer();
// Fire off a request.
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'MISS');
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
// Fire the same exact request. This time it should be cached.
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT');
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
// Fire a request for a different origin. Verify the CORS header.
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.org']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT');
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.org');
// Configure the CORS stack to allow a specific set of origins.
$cors_config['allowedOrigins'] = ['http://example.com'];
$this->corsConfig = $cors_config;
$this->container->get('kernel')->rebuildContainer();
$this->setContainerParameter('cors.config', $cors_config);
$this->rebuildContainer();
// Fire a request from an origin that isn't allowed.
/** @var \Symfony\Component\HttpFoundation\Response $response */
$response = $this->container->get('http_kernel')->handle($request);
$this->assertEquals(Response::HTTP_FORBIDDEN, $response->getStatusCode());
$this->assertEquals('Not allowed.', $response->getContent());
$this->drupalGet('/test-page', [], ['Origin' => 'http://non-valid.com']);
$this->assertSession()->statusCodeEquals(403);
$this->assertSession()->pageTextContains('Not allowed.');
// Specify a valid origin.
$request->headers->set('Origin', 'http://example.com');
$response = $this->container->get('http_kernel')->handle($request);
$this->assertEquals(Response::HTTP_OK, $response->getStatusCode());
}
/**
* {@inheritdoc}
*/
public function alter(ContainerBuilder $container) {
if (isset($this->corsConfig)) {
$container->setParameter('cors.config', $this->corsConfig);
}
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment