[ { "path": ".coveragerc", "content": "[run]\nsource=corsheaders\n\n[report]\nomit=*tests*,*__init__*\nshow_missing=True\n\nexclude_lines =\n # Have to re-enable the standard pragma\n pragma: no cover\n\n # Don't complain about missing debug-only code:\n def __repr__\n if self\\.debug\n\n # Don't complain if tests don't hit defensive assertion code:\n raise AssertionError\n raise NotImplementedError\n\n # Don't complain if non-runnable code isn't run:\n if 0:\n if __name__ == .__main__.:\n" }, { "path": ".github/PULL_REQUEST_TEMPLATE.md", "content": "**Issue(s)** : " }, { "path": ".gitignore", "content": "*.pyc\n*.egg-info\nbuild/ \ndist/\n.eggs/\n.idea/\n.tox/\n\n# Packages\n*.egg\n*.egg-info\n.coverage\ndist\nbuild\neggs\nparts\nbin\nvar\nsdist\ndevelop-eggs\n.installed.cfg\nlib\nlib64\n\n" }, { "path": ".travis.yml", "content": "language: python\npython:\n- 2.7\n- 3.4\n- 3.5\n- 3.6\n\n\nsudo: false\n\ninstall:\n- pip install tox-travis\n\nscript:\n- tox\n\n# Coverage data generation\n- pip install \"Django<2.2\" flake8 coverage codecov\n- flake8 --config flake8.cfg .\n- coverage run setup.py test\n- coverage report\n\nafter_success:\n- codecov" }, { "path": "LICENSE.txt", "content": "Original work Copyright 2013 Otto Yiu and other contributors\rModified work Copyright 2016 Zeste de Savoir\r\rPermission is hereby granted, free of charge, to any person obtaining\ra copy of this software and associated documentation files (the\r\"Software\"), to deal in the Software without restriction, including\rwithout limitation the rights to use, copy, modify, merge, publish,\rdistribute, sublicense, and/or sell copies of the Software, and to\rpermit persons to whom the Software is furnished to do so, subject to\rthe following conditions:\r\rThe above copyright notice and this permission notice shall be\rincluded in all copies or substantial portions of the Software.\r\rTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\rEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\rMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\rNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\rLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\rOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\rWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." }, { "path": "MANIFEST.in", "content": "include README.rst\ninclude LICENSE.txt\n" }, { "path": "README.rst", "content": "django-cors-middleware\r\n======================\r\n\r\n``django-cors-middleware`` is **depreciated**, please use `adamchainz/django-cors-headers `_ instead.\r\n\r\nIt was created at a time when ``django-cors-headers`` was not maintained, but it is well maintained now and there is no need to have two different packages for that.\r\n\r\nExtract from `adamchainz/django-cors-headers README's About section `_:\r\n\r\n **django-cors-headers** was created in January 2013 by Otto Yiu. It went\r\n unmaintained from August 2015 and was forked in January 2016 to the package\r\n `django-cors-middleware `_\r\n by Laville Augustin at Zeste de Savoir.\r\n In September 2016, Adam Johnson, Ed Morley, and others gained maintenance\r\n responsibility for **django-cors-headers**\r\n (`Issue 110 `__)\r\n from Otto Yiu.\r\n Basically all of the changes in the forked **django-cors-middleware** were\r\n merged back, or re-implemented in a different way, so it should be possible to\r\n switch back. If there's a feature that hasn't been merged, please open an issue\r\n about it.\r\n" }, { "path": "corsheaders/__init__.py", "content": "__version__ = '999'\n" }, { "path": "corsheaders/defaults.py", "content": "from django.conf import settings\n\ndefault_headers = (\n 'x-requested-with',\n 'content-type',\n 'accept',\n 'origin',\n 'authorization',\n 'x-csrftoken',\n 'user-agent',\n 'accept-encoding',\n 'cache-control',\n)\n\nCORS_ALLOW_HEADERS = getattr(settings, 'CORS_ALLOW_HEADERS', default_headers)\n\ndefault_methods = (\n 'GET',\n 'POST',\n 'PUT',\n 'PATCH',\n 'DELETE',\n 'OPTIONS',\n)\nCORS_ALLOW_METHODS = getattr(settings, 'CORS_ALLOW_METHODS', default_methods)\n\nCORS_ALLOW_CREDENTIALS = getattr(settings, 'CORS_ALLOW_CREDENTIALS', False)\n\nCORS_PREFLIGHT_MAX_AGE = getattr(settings, 'CORS_PREFLIGHT_MAX_AGE', 86400)\n\nCORS_ORIGIN_ALLOW_ALL = getattr(settings, 'CORS_ORIGIN_ALLOW_ALL', False)\n\nCORS_ORIGIN_WHITELIST = getattr(settings, 'CORS_ORIGIN_WHITELIST', ())\n\nCORS_ORIGIN_REGEX_WHITELIST = getattr(\n settings,\n 'CORS_ORIGIN_REGEX_WHITELIST',\n ())\n\nCORS_EXPOSE_HEADERS = getattr(settings, 'CORS_EXPOSE_HEADERS', ())\n\nCORS_URLS_REGEX = getattr(settings, 'CORS_URLS_REGEX', '^.*$')\n\nCORS_MODEL = getattr(settings, 'CORS_MODEL', None)\n\nCORS_REPLACE_HTTPS_REFERER = getattr(\n settings,\n 'CORS_REPLACE_HTTPS_REFERER',\n False)\nCORS_URLS_ALLOW_ALL_REGEX = getattr(settings, 'CORS_URLS_ALLOW_ALL_REGEX', ())\n" }, { "path": "corsheaders/middleware.py", "content": "import re\n\nfrom django import http\ntry:\n from urlparse import urlparse\nexcept ImportError:\n from urllib.parse import urlparse\n\nfrom django.apps import apps\nfrom django.utils.cache import patch_vary_headers\nfrom django.utils.deprecation import MiddlewareMixin\n\nfrom corsheaders import defaults as settings\nfrom corsheaders import signals\n\nget_model = apps.get_model\n\nACCESS_CONTROL_ALLOW_ORIGIN = 'Access-Control-Allow-Origin'\nACCESS_CONTROL_EXPOSE_HEADERS = 'Access-Control-Expose-Headers'\nACCESS_CONTROL_ALLOW_CREDENTIALS = 'Access-Control-Allow-Credentials'\nACCESS_CONTROL_ALLOW_HEADERS = 'Access-Control-Allow-Headers'\nACCESS_CONTROL_ALLOW_METHODS = 'Access-Control-Allow-Methods'\nACCESS_CONTROL_MAX_AGE = 'Access-Control-Max-Age'\n\n\nclass CorsPostCsrfMiddleware(MiddlewareMixin):\n\n def _https_referer_replace_reverse(self, request):\n \"\"\"\n Put the HTTP_REFERER back to its original value and delete the\n temporary storage\n \"\"\"\n if (settings.CORS_REPLACE_HTTPS_REFERER and\n 'ORIGINAL_HTTP_REFERER' in request.META):\n http_referer = request.META['ORIGINAL_HTTP_REFERER']\n request.META['HTTP_REFERER'] = http_referer\n del request.META['ORIGINAL_HTTP_REFERER']\n\n def process_request(self, request):\n self._https_referer_replace_reverse(request)\n return None\n\n def process_view(self, request, callback, callback_args, callback_kwargs):\n self._https_referer_replace_reverse(request)\n return None\n\n\nclass CorsMiddleware(MiddlewareMixin):\n\n def _https_referer_replace(self, request):\n \"\"\"\n When https is enabled, django CSRF checking includes referer checking\n which breaks when using CORS. This function updates the HTTP_REFERER\n header to make sure it matches HTTP_HOST, provided that our cors logic\n succeeds\n \"\"\"\n origin = request.META.get('HTTP_ORIGIN')\n\n if (request.is_secure() and origin and\n 'ORIGINAL_HTTP_REFERER' not in request.META):\n url = urlparse(origin)\n if (not settings.CORS_ORIGIN_ALLOW_ALL and\n self.origin_not_found_in_white_lists(origin, url)):\n return\n\n try:\n http_referer = request.META['HTTP_REFERER']\n http_host = \"https://%s/\" % request.META['HTTP_HOST']\n request.META = request.META.copy()\n request.META['ORIGINAL_HTTP_REFERER'] = http_referer\n request.META['HTTP_REFERER'] = http_host\n except KeyError:\n pass\n\n def process_request(self, request):\n \"\"\"\n If CORS preflight header, then create an\n empty body response (200 OK) and return it\n\n Django won't bother calling any other request\n view/exception middleware along with the requested view;\n it will call any response middlewares\n \"\"\"\n if self.is_enabled(request) and settings.CORS_REPLACE_HTTPS_REFERER:\n self._https_referer_replace(request)\n\n if (self.is_enabled(request) and\n request.method == 'OPTIONS' and\n \"HTTP_ACCESS_CONTROL_REQUEST_METHOD\" in request.META):\n response = http.HttpResponse()\n return response\n return None\n\n def process_view(self, request, callback, callback_args, callback_kwargs):\n \"\"\"\n Do the referer replacement here as well\n \"\"\"\n if self.is_enabled(request) and settings.CORS_REPLACE_HTTPS_REFERER:\n self._https_referer_replace(request)\n return None\n\n def process_response(self, request, response):\n \"\"\"\n Add the respective CORS headers\n \"\"\"\n origin = request.META.get('HTTP_ORIGIN')\n if self.is_enabled(request) and origin:\n # todo: check hostname from db instead\n url = urlparse(origin)\n\n if settings.CORS_MODEL is not None:\n model = get_model(*settings.CORS_MODEL.split('.'))\n if model.objects.filter(cors=url.netloc).exists():\n response[ACCESS_CONTROL_ALLOW_ORIGIN] = origin\n\n if (not settings.CORS_ORIGIN_ALLOW_ALL and\n self.origin_not_found_in_white_lists(origin, url) and\n not self.regex_url_allow_all_match(request.path) and\n not self.check_signal(request)):\n return response\n\n if settings.CORS_ORIGIN_ALLOW_ALL and not settings.CORS_ALLOW_CREDENTIALS:\n response[ACCESS_CONTROL_ALLOW_ORIGIN] = \"*\"\n else:\n response[ACCESS_CONTROL_ALLOW_ORIGIN] = origin\n patch_vary_headers(response, ['Origin'])\n\n if len(settings.CORS_EXPOSE_HEADERS):\n response[ACCESS_CONTROL_EXPOSE_HEADERS] = ', '.join(\n settings.CORS_EXPOSE_HEADERS)\n\n if settings.CORS_ALLOW_CREDENTIALS:\n response[ACCESS_CONTROL_ALLOW_CREDENTIALS] = 'true'\n\n if request.method == 'OPTIONS':\n response[ACCESS_CONTROL_ALLOW_HEADERS] = ', '.join(\n settings.CORS_ALLOW_HEADERS)\n response[ACCESS_CONTROL_ALLOW_METHODS] = ', '.join(\n settings.CORS_ALLOW_METHODS)\n if settings.CORS_PREFLIGHT_MAX_AGE:\n response[ACCESS_CONTROL_MAX_AGE] = \\\n settings.CORS_PREFLIGHT_MAX_AGE\n\n return response\n\n def origin_not_found_in_white_lists(self, origin, url):\n return (url.netloc not in settings.CORS_ORIGIN_WHITELIST and\n not self.regex_domain_match(origin))\n\n def regex_domain_match(self, origin):\n for domain_pattern in settings.CORS_ORIGIN_REGEX_WHITELIST:\n if re.match(domain_pattern, origin):\n return origin\n\n def is_enabled(self, request):\n return re.match(settings.CORS_URLS_REGEX, request.path) or \\\n self.regex_url_allow_all_match(request.path) or \\\n self.check_signal(request)\n\n def check_signal(self, request):\n signal_response = signals.check_request_enabled.send(\n sender=None, request=request\n )\n for function, return_value in signal_response:\n if return_value:\n return True\n return False\n\n def regex_url_allow_all_match(self, path):\n for url_pattern in settings.CORS_URLS_ALLOW_ALL_REGEX:\n if re.match(url_pattern, path):\n return path\n" }, { "path": "corsheaders/migrations/0001_initial.py", "content": "# -*- coding: utf-8 -*-\n# Generated by Django 1.10.1 on 2017-01-18 21:36\nfrom __future__ import unicode_literals\n\nfrom django.db import migrations, models\n\n\nclass Migration(migrations.Migration):\n\n initial = True\n\n dependencies = [\n ]\n\n operations = [\n migrations.CreateModel(\n name='CorsModel',\n fields=[\n ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),\n ('cors', models.CharField(max_length=255)),\n ],\n ),\n ]\n" }, { "path": "corsheaders/migrations/__init__.py", "content": "" }, { "path": "corsheaders/models.py", "content": "from django.db import models\n\n# For signal registration\nfrom .signals import check_request_enabled # noqa\n\n\nclass CorsModel(models.Model):\n cors = models.CharField(max_length=255)\n" }, { "path": "corsheaders/signals.py", "content": "import django.dispatch\n\n# Return Truthy values to enable a specific request.\n# This allows users to build custom logic into the request handling\ncheck_request_enabled = django.dispatch.Signal(\n providing_args=[\"request\"]\n)\n" }, { "path": "corsheaders/tests.py", "content": "from django.conf.urls import url\nfrom django.http import HttpResponse\nfrom django.test import TestCase\nfrom corsheaders.middleware import CorsMiddleware, CorsPostCsrfMiddleware\nfrom corsheaders.middleware import ACCESS_CONTROL_ALLOW_ORIGIN\nfrom corsheaders.middleware import ACCESS_CONTROL_EXPOSE_HEADERS\nfrom corsheaders.middleware import ACCESS_CONTROL_ALLOW_CREDENTIALS\nfrom corsheaders.middleware import ACCESS_CONTROL_ALLOW_HEADERS\nfrom corsheaders.middleware import ACCESS_CONTROL_ALLOW_METHODS\nfrom corsheaders.middleware import ACCESS_CONTROL_MAX_AGE\nfrom corsheaders import defaults as settings\nfrom corsheaders import signals\nfrom mock import Mock\nfrom mock import patch\n\n\ndef test_view(request):\n return HttpResponse(\"Test view\")\n\n\ndef test_view_http401(request):\n return HttpResponse('Unauthorized', status=401)\n\n\nurlpatterns = [\n url(r'^test-view/$', test_view, name='test-view'),\n url(r'^test-view-http401/$', test_view_http401, name='test-view-http401'),\n]\n\n\nclass settings_override(object):\n def __init__(self, **kwargs):\n self.overrides = kwargs\n\n def __enter__(self):\n self.old = dict((key, getattr(settings, key)) for key in self.overrides)\n settings.__dict__.update(self.overrides)\n\n def __exit__(self, exc, value, tb):\n settings.__dict__.update(self.old)\n\n\nclass TestCorsMiddlewareProcessRequest(TestCase):\n\n def setUp(self):\n self.middleware = CorsMiddleware()\n\n def test_process_request(self):\n request = Mock(path='/')\n request.method = 'OPTIONS'\n request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}\n with settings_override(CORS_URLS_REGEX='^.*$'):\n response = self.middleware.process_request(request)\n self.assertIsInstance(response, HttpResponse)\n\n def test_process_request_empty_header(self):\n request = Mock(path='/')\n request.method = 'OPTIONS'\n request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': ''}\n with settings_override(CORS_URLS_REGEX='^.*$'):\n response = self.middleware.process_request(request)\n self.assertIsInstance(response, HttpResponse)\n\n def test_process_request_no_header(self):\n request = Mock(path='/')\n request.method = 'OPTIONS'\n request.META = {}\n response = self.middleware.process_request(request)\n self.assertIsNone(response)\n\n def test_process_request_not_options(self):\n request = Mock(path='/')\n request.method = 'GET'\n request.META = {'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'value'}\n response = self.middleware.process_request(request)\n self.assertIsNone(response)\n\n def test_process_request_replace_https_referer(self):\n post_middleware = CorsPostCsrfMiddleware()\n request = Mock(path='/')\n request.method = 'GET'\n request.is_secure = lambda: True\n\n # make sure it doesnt blow up when HTTP_REFERER is not present\n request.META = {\n 'HTTP_HOST': 'foobar.com',\n 'HTTP_ORIGIN': 'https://foo.google.com',\n }\n with settings_override(CORS_URLS_REGEX='^.*$',\n CORS_ORIGIN_REGEX_WHITELIST='.*google.*',\n CORS_REPLACE_HTTPS_REFERER=True):\n response = self.middleware.process_request(request)\n self.assertIsNone(response)\n\n # make sure it doesnt blow up when HTTP_HOST is not present\n request.META = {\n 'HTTP_REFERER': 'http://foo.google.com/',\n 'HTTP_ORIGIN': 'https://foo.google.com',\n }\n with settings_override(CORS_URLS_REGEX='^.*$',\n CORS_ORIGIN_REGEX_WHITELIST='.*google.*',\n CORS_REPLACE_HTTPS_REFERER=True):\n response = self.middleware.process_request(request)\n self.assertIsNone(response)\n\n request.is_secure = lambda: False\n request.META = {\n 'HTTP_REFERER': 'http://foo.google.com/',\n 'HTTP_HOST': 'foobar.com',\n 'HTTP_ORIGIN': 'http://foo.google.com',\n }\n\n # test that we won't replace if the request is not secure\n with settings_override(CORS_URLS_REGEX='^.*$',\n CORS_ORIGIN_REGEX_WHITELIST='.*google.*',\n CORS_REPLACE_HTTPS_REFERER=True):\n response = self.middleware.process_request(request)\n self.assertIsNone(response)\n self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)\n self.assertEquals(request.META['HTTP_REFERER'], 'http://foo.google.com/')\n\n request.is_secure = lambda: True\n request.META = {\n 'HTTP_REFERER': 'https://foo.google.com/',\n 'HTTP_HOST': 'foobar.com',\n 'HTTP_ORIGIN': 'https://foo.google.com',\n }\n\n # test that we won't replace with the setting off\n with settings_override(CORS_URLS_REGEX='^.*$',\n CORS_ORIGIN_REGEX_WHITELIST='.*google.*'):\n response = self.middleware.process_request(request)\n self.assertIsNone(response)\n self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)\n self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')\n\n with settings_override(CORS_URLS_REGEX='^.*$',\n CORS_ORIGIN_REGEX_WHITELIST='.*google.*',\n CORS_REPLACE_HTTPS_REFERER=True):\n response = self.middleware.process_request(request)\n self.assertIsNone(response)\n self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')\n self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')\n\n # make sure the replace code is idempotent\n with settings_override(CORS_URLS_REGEX='^.*$',\n CORS_ORIGIN_REGEX_WHITELIST='.*google.*',\n CORS_REPLACE_HTTPS_REFERER=True):\n response = self.middleware.process_view(request, None, None, None)\n self.assertIsNone(response)\n self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')\n self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')\n\n with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):\n post_middleware.process_request(request)\n self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)\n self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')\n\n with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):\n response = post_middleware.process_request(request)\n self.assertIsNone(response)\n\n def test_process_view_replace_https_referer(self):\n post_middleware = CorsPostCsrfMiddleware()\n request = Mock(path='/')\n request.method = 'GET'\n request.is_secure = lambda: True\n request.META = {\n 'HTTP_REFERER': 'https://foo.google.com/',\n 'HTTP_HOST': 'foobar.com',\n 'HTTP_ORIGIN': 'https://foo.google.com',\n }\n with settings_override(CORS_URLS_REGEX='^.*$',\n CORS_ORIGIN_REGEX_WHITELIST='.*google.*',\n CORS_REPLACE_HTTPS_REFERER=True):\n response = self.middleware.process_view(request, None, None, None)\n self.assertIsNone(response)\n self.assertEquals(request.META['ORIGINAL_HTTP_REFERER'], 'https://foo.google.com/')\n self.assertEquals(request.META['HTTP_REFERER'], 'https://foobar.com/')\n\n with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):\n post_middleware.process_view(request, None, None, None)\n self.assertTrue('ORIGINAL_HTTP_REFERER' not in request.META)\n self.assertEquals(request.META['HTTP_REFERER'], 'https://foo.google.com/')\n\n with settings_override(CORS_URLS_REGEX='^.*$', CORS_REPLACE_HTTPS_REFERER=True):\n response = post_middleware.process_view(request, None, None, None)\n self.assertIsNone(response)\n\n\n@patch('corsheaders.middleware.settings')\nclass TestCorsMiddlewareProcessResponse(TestCase):\n\n def setUp(self):\n self.middleware = CorsMiddleware()\n\n def assertAccessControlAllowOriginEquals(self, response, header):\n self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, response, \"Response %r does \"\n \"NOT have %r header\" % (response, ACCESS_CONTROL_ALLOW_ORIGIN))\n self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], header)\n\n def test_process_response_no_origin(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request = Mock(path='/', META={})\n processed = self.middleware.process_response(request, response)\n self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)\n\n def test_process_response_not_in_whitelist(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = False\n settings.CORS_ORIGIN_WHITELIST = ['example.com']\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'})\n processed = self.middleware.process_response(request, response)\n self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)\n\n def test_process_response_signal_works(self, settings):\n def handler(sender, request, **kwargs):\n return True\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = False\n settings.CORS_ORIGIN_WHITELIST = ['example.com']\n settings.CORS_URLS_REGEX = '^.*$'\n signals.check_request_enabled.connect(handler)\n response = HttpResponse()\n request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'})\n processed = self.middleware.process_response(request, response)\n self.assertIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)\n\n def test_process_response_in_whitelist(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = False\n settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it']\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foobar.it'})\n processed = self.middleware.process_response(request, response)\n self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it')\n\n def test_process_response_expose_headers(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_EXPOSE_HEADERS = ['accept', 'origin', 'content-type']\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})\n processed = self.middleware.process_response(request, response)\n self.assertEqual(processed[ACCESS_CONTROL_EXPOSE_HEADERS],\n 'accept, origin, content-type')\n\n def test_process_response_dont_expose_headers(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_EXPOSE_HEADERS = []\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})\n processed = self.middleware.process_response(request, response)\n self.assertNotIn(ACCESS_CONTROL_EXPOSE_HEADERS, processed)\n\n def test_process_response_allow_credentials(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_ALLOW_CREDENTIALS = True\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})\n processed = self.middleware.process_response(request, response)\n self.assertEqual(processed[ACCESS_CONTROL_ALLOW_CREDENTIALS], 'true')\n\n def test_process_response_dont_allow_credentials(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_ALLOW_CREDENTIALS = False\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request = Mock(path='/', META={'HTTP_ORIGIN': 'http://example.com'})\n processed = self.middleware.process_response(request, response)\n self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, processed)\n\n def test_process_response_options_method(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_ALLOW_HEADERS = ['content-type', 'origin']\n settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS']\n settings.CORS_PREFLIGHT_MAX_AGE = 1002\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request_headers = {'HTTP_ORIGIN': 'http://example.com'}\n request = Mock(path='/', META=request_headers, method='OPTIONS')\n processed = self.middleware.process_response(request, response)\n self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS],\n 'content-type, origin')\n self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS')\n self.assertEqual(processed[ACCESS_CONTROL_MAX_AGE], '1002')\n\n def test_process_response_options_method_no_max_age(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_ALLOW_HEADERS = ['content-type', 'origin']\n settings.CORS_ALLOW_METHODS = ['GET', 'OPTIONS']\n settings.CORS_PREFLIGHT_MAX_AGE = 0\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request_headers = {'HTTP_ORIGIN': 'http://example.com'}\n request = Mock(path='/', META=request_headers, method='OPTIONS')\n processed = self.middleware.process_response(request, response)\n self.assertEqual(processed[ACCESS_CONTROL_ALLOW_HEADERS],\n 'content-type, origin')\n self.assertEqual(processed[ACCESS_CONTROL_ALLOW_METHODS], 'GET, OPTIONS')\n self.assertNotIn(ACCESS_CONTROL_MAX_AGE, processed)\n\n def test_process_response_whitelist_with_port(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = False\n settings.CORS_ALLOW_METHODS = ['OPTIONS']\n settings.CORS_ORIGIN_WHITELIST = ('localhost:9000',)\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request_headers = {'HTTP_ORIGIN': 'http://localhost:9000'}\n request = Mock(path='/', META=request_headers, method='OPTIONS')\n processed = self.middleware.process_response(request, response)\n self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_CREDENTIALS, None), 'true')\n\n def test_process_response_adds_origin_when_domain_found_in_origin_regex_whitelist(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\\w+\\.)?google\\.com$', )\n settings.CORS_ALLOW_CREDENTIALS = True\n settings.CORS_ORIGIN_ALLOW_ALL = False\n settings.CORS_ALLOW_METHODS = ['OPTIONS']\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'}\n request = Mock(path='/', META=request_headers, method='OPTIONS')\n processed = self.middleware.process_response(request, response)\n self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com')\n\n def test_process_response_will_not_add_origin_when_domain_not_found_in_origin_regex_whitelist(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_REGEX_WHITELIST = ('^http?://(\\w+\\.)?yahoo\\.com$', )\n settings.CORS_ALLOW_CREDENTIALS = True\n settings.CORS_ORIGIN_ALLOW_ALL = False\n settings.CORS_ALLOW_METHODS = ['OPTIONS']\n settings.CORS_URLS_REGEX = '^.*$'\n response = HttpResponse()\n request_headers = {'HTTP_ORIGIN': 'http://foo.google.com'}\n request = Mock(path='/', META=request_headers, method='OPTIONS')\n processed = self.middleware.process_response(request, response)\n self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), None)\n\n def test_process_response_when_custom_model_enabled(self, settings):\n from corsheaders.models import CorsModel\n CorsModel.objects.create(cors='foo.google.com')\n settings.CORS_ORIGIN_REGEX_WHITELIST = ()\n settings.CORS_ALLOW_CREDENTIALS = False\n settings.CORS_ORIGIN_ALLOW_ALL = False\n settings.CORS_ALLOW_METHODS = settings.default_methods\n settings.CORS_URLS_REGEX = '^.*$'\n settings.CORS_MODEL = 'corsheaders.CorsModel'\n response = HttpResponse()\n request = Mock(path='/', META={'HTTP_ORIGIN': 'http://foo.google.com'})\n processed = self.middleware.process_response(request, response)\n self.assertEqual(processed.get(ACCESS_CONTROL_ALLOW_ORIGIN, None), 'http://foo.google.com')\n\n def test_process_response_in_allow_all_path(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = False\n # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it']\n settings.CORS_URLS_REGEX = '^.*$'\n settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$',)\n response = HttpResponse()\n request = Mock(path='/api/data', META={'HTTP_ORIGIN': 'http://foobar.it'})\n processed = self.middleware.process_response(request, response)\n self.assertAccessControlAllowOriginEquals(processed, 'http://foobar.it')\n\n def test_process_response_not_in_allow_all_path(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = False\n # settings.CORS_ORIGIN_WHITELIST = ['example.com', 'foobar.it']\n settings.CORS_URLS_REGEX = '^.*$'\n settings.CORS_URLS_ALLOW_ALL_REGEX = (r'^/api/.*$',)\n response = HttpResponse()\n request = Mock(path='/data', META={'HTTP_ORIGIN': 'http://foobar.it'})\n processed = self.middleware.process_response(request, response)\n self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, processed)\n\n def test_middleware_integration_get(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_URLS_REGEX = '^.*$'\n response = self.client.get('/test-view/', HTTP_ORIGIN='http://foobar.it')\n self.assertEqual(response.status_code, 200)\n self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it')\n\n def test_middleware_integration_options(self, settings):\n settings.CORS_MODEL = None\n settings.CORS_URLS_REGEX = '^.*$'\n settings.CORS_ALLOW_CREDENTIALS = True\n settings.CORS_ORIGIN_ALLOW_ALL = True\n response = self.client.options(\n '/test-view/',\n HTTP_ORIGIN='http://foobar.it',\n HTTP_ACCESS_CONTROL_REQUEST_METHOD='value',\n )\n self.assertEqual(response.status_code, 200)\n self.assertEqual(response[ACCESS_CONTROL_ALLOW_ORIGIN], 'http://foobar.it')\n self.assertEqual(response['Vary'], 'Origin')\n\n def test_middleware_integration_get_auth_view(self, settings):\n \"\"\"\n It's not clear whether the header should still be set for non-HTTP200\n when not a preflight request. However this is the existing behaviour for\n django-cors-middleware, so at least this test makes that explicit, especially\n since for the switch to Django 1.10, special-handling will need to be put in\n place to preserve this behaviour. See `ExceptionMiddleware` mention here:\n https://docs.djangoproject.com/en/1.10/topics/http/middleware/#upgrading-pre-django-1-10-style-middleware\n \"\"\"\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_URLS_REGEX = '^.*$'\n response = self.client.get('/test-view-http401/', HTTP_ORIGIN='http://foobar.it')\n self.assertEqual(response.status_code, 401)\n self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it')\n\n def test_middleware_integration_preflight_auth_view(self, settings):\n \"\"\"\n Ensure HTTP200 and header still set, for preflight requests to views requiring\n authentication. See: https://github.com/ottoyiu/django-cors-headers/issues/3\n \"\"\"\n settings.CORS_MODEL = None\n settings.CORS_ORIGIN_ALLOW_ALL = True\n settings.CORS_URLS_REGEX = '^.*$'\n response = self.client.options('/test-view-http401/',\n HTTP_ORIGIN='http://foobar.it',\n HTTP_ACCESS_CONTROL_REQUEST_METHOD='value')\n self.assertEqual(response.status_code, 200)\n self.assertAccessControlAllowOriginEquals(response, 'http://foobar.it')\n" }, { "path": "flake8.cfg", "content": "[flake8]\nmax-complexity=12\nexclude=tests.py,.tox,*.egg\nmax-line-length=120\n" }, { "path": "setup.cfg", "content": "[metadata]\ndescription-file = README.rst" }, { "path": "setup.py", "content": "#!/usr/bin/env python\n\nfrom corsheaders import __version__\nfrom setuptools import setup, find_packages\n\nsetup(\n name='django-cors-middleware',\n version=__version__,\n description='django-cors-middleware is a Django application for handling the server headers required for Cross-Orig'\n 'in Resource Sharing (CORS). Fork of django-cors-headers.',\n author='Zeste de Savoir',\n author_email='dev@gustavi.net',\n url='https://github.com/zestedesavoir/django-cors-middleware',\n packages=find_packages(),\n license='MIT License',\n keywords='django cors middleware rest api',\n platforms=['any'],\n classifiers=[\n 'Development Status :: 5 - Production/Stable',\n 'Environment :: Web Environment',\n 'Framework :: Django',\n 'Intended Audience :: Developers',\n 'License :: OSI Approved :: MIT License',\n 'Operating System :: OS Independent',\n 'Programming Language :: Python',\n 'Programming Language :: Python :: 2',\n 'Programming Language :: Python :: 2.7',\n 'Programming Language :: Python :: 3',\n 'Programming Language :: Python :: 3.3',\n 'Programming Language :: Python :: 3.4',\n 'Programming Language :: Python :: 3.5',\n 'Programming Language :: Python :: 3.6',\n 'Programming Language :: Python :: 3.7',\n 'Topic :: Software Development :: Libraries :: Application Frameworks',\n 'Topic :: Software Development :: Libraries :: Python Modules',\n ],\n install_requires=[],\n tests_require=['mock >= 1.0'],\n test_suite='tests.main',\n)\n" }, { "path": "tests.py", "content": "#!/usr/bin/env python\n\"\"\"\n\"\"\"\nimport sys\n\n\ndef run_tests():\n import django\n from django.conf import global_settings\n from django.conf import settings\n\n if django.VERSION >= (1, 10):\n middleware_setting = 'MIDDLEWARE'\n else:\n middleware_setting = 'MIDDLEWARE_CLASSES'\n\n middleware = list(getattr(global_settings, middleware_setting) or [])\n middleware.append('corsheaders.middleware.CorsMiddleware')\n\n config = {\n 'INSTALLED_APPS': [\n 'corsheaders',\n ],\n 'DATABASES': {\n 'default': {\n 'ENGINE': 'django.db.backends.sqlite3',\n 'TEST_NAME': ':memory:',\n },\n },\n 'ROOT_URLCONF': 'corsheaders.tests',\n middleware_setting: middleware,\n }\n settings.configure(**config)\n\n if hasattr(django, 'setup'):\n django.setup()\n\n try:\n from django.test.runner import DiscoverRunner as Runner\n except ImportError:\n from django.test.simple import DjangoTestSuiteRunner as Runner\n\n test_runner = Runner(verbosity=1)\n return test_runner.run_tests(['corsheaders'])\n\n\ndef main():\n failures = run_tests()\n sys.exit(failures)\n\nif __name__ == '__main__':\n main()\n" }, { "path": "tox.ini", "content": "[tox]\ndownloadcache = {toxworkdir}/cache/\nenvlist =\n py{27,34,35,36,37}-django110\n py{27,34,35,36,37}-django111\n\n # First Django version that drops Python 2 support\n py{34,35,36,37}-django20\n\n # First Django version that drops support for Python versions below 3.5\n py{35,36,37}-django21\n\n[testenv]\ncommands = python setup.py test\ndeps =\n\tdjango18: Django >=1.8, <1.9\n\tdjango19: Django >=1.9, <2.0\n\tdjango110: Django >=1.10, <1.11\n\tdjango111: Django >=1.11, <2.0\n\tdjango20: Django >=2.0, <2.1\n\tdjango21: Django >=2.1, <2.2\n" } ]