Mirrors/shlink
1
0
Fork 0
mirror of https://github.com/shlinkio/shlink.git synced 2026-02-28 04:03:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Improved CrossDomainMiddleware preventing headers to be injected on non-CORS requests

Browse Source
This commit is contained in:
Alejandro Celaya
2016-07-19 20:20:18 +02:00
parent 0daa24739d
commit 839329d627
4 changed files with 49 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
module/Rest/test/Middleware/CrossDomainMiddlewareTest.php
View File

@@ -21,15 +21,37 @@ class CrossDomainMiddlewareTest extends TestCase
/**
* @test
*/
public function anyRequestIncludesTheAllowAccessHeader()
public function nonCrossDomainRequestsAreNotAffected()
{
$originalResponse = new Response();
$response = $this->middleware->__invoke(
ServerRequestFactory::fromGlobals(),
new Response(),
$originalResponse,
function ($req, $resp) {
return $resp;
}
);
$this->assertSame($originalResponse, $response);
$headers = $response->getHeaders();
$this->assertArrayNotHasKey('Access-Control-Allow-Origin', $headers);
$this->assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
}
/**
* @test
*/
public function anyRequestIncludesTheAllowAccessHeader()
{
$originalResponse = new Response();
$response = $this->middleware->__invoke(
ServerRequestFactory::fromGlobals()->withHeader('Origin', 'local'),
$originalResponse,
function ($req, $resp) {
return $resp;
}
);
$this->assertNotSame($originalResponse, $response);
$headers = $response->getHeaders();
$this->assertArrayHasKey('Access-Control-Allow-Origin', $headers);
@@ -41,11 +63,13 @@ class CrossDomainMiddlewareTest extends TestCase
*/
public function optionsRequestIncludesMoreHeaders()
{
$request = ServerRequestFactory::fromGlobals(['REQUEST_METHOD' => 'OPTIONS']);
$originalResponse = new Response();
$request = ServerRequestFactory::fromGlobals(['REQUEST_METHOD' => 'OPTIONS'])->withHeader('Origin', 'local');
$response = $this->middleware->__invoke($request, new Response(), function ($req, $resp) {
$response = $this->middleware->__invoke($request, $originalResponse, function ($req, $resp) {
return $resp;
});
$this->assertNotSame($originalResponse, $response);
$headers = $response->getHeaders();
$this->assertArrayHasKey('Access-Control-Allow-Origin', $headers);