public void IsValid_ReturnsFalse_WhenThereIsError()
{
CorsResult result = new CorsResult();
result.ErrorMessages.Add("error");
Assert.False(result.IsValid);
}
public void ToResponseHeaders_ReturnsNoHeaders_ByDefault()
{
CorsResult result = new CorsResult();
IDictionary<string, string> headers = result.ToResponseHeaders();
Assert.Empty(headers);
}
public void SettingNegativePreflightMaxAge_Throws()
{
CorsResult result = new CorsResult();
Assert.ThrowsArgumentOutOfRange(() =>
{
result.PreflightMaxAge = -2;
},
"value",
"PreflightMaxAge must be greater than or equal to 0.");
}
public void ToResponseHeaders_NoAllowOrigin_AllowOriginHeaderNotAdded()
{
CorsResult result = new CorsResult
{
AllowedOrigin = null
};
IDictionary<string, string> headers = result.ToResponseHeaders();
Assert.DoesNotContain("Access-Control-Allow-Origin", headers.Keys);
}
public void ToResponseHeaders_AllowOrigin_AllowOriginHeaderAdded()
{
CorsResult result = new CorsResult
{
AllowedOrigin = "http://example.com"
};
IDictionary<string, string> headers = result.ToResponseHeaders();
Assert.Equal("http://example.com", headers["Access-Control-Allow-Origin"]);
}
public void Default_Constructor()
{
CorsResult result = new CorsResult();
Assert.Empty(result.AllowedHeaders);
Assert.Empty(result.AllowedExposedHeaders);
Assert.Empty(result.AllowedMethods);
Assert.Empty(result.ErrorMessages);
Assert.False(result.SupportsCredentials);
Assert.Null(result.AllowedOrigin);
Assert.Null(result.PreflightMaxAge);
Assert.True(result.IsValid);
}
public void WriteCorsHeaders_WritesAllowExposedHeaders()
{
HttpResponseMessage response = new HttpResponseMessage();
CorsResult corsResult = new CorsResult();
corsResult.AllowedExposedHeaders.Add("baz");
response.WriteCorsHeaders(corsResult);
HttpResponseHeaders headers = response.Headers;
Assert.Equal(1, headers.Count());
string[] exposedHeaders = headers.GetValues("Access-Control-Expose-Headers").FirstOrDefault().Split(',');
Assert.Contains("baz", exposedHeaders);
}
public void Default_Constructor()
{
// Arrange & Act
var result = new CorsResult();
// Assert
Assert.Empty(result.AllowedHeaders);
Assert.Empty(result.AllowedExposedHeaders);
Assert.Empty(result.AllowedMethods);
Assert.False(result.SupportsCredentials);
Assert.Null(result.AllowedOrigin);
Assert.Null(result.PreflightMaxAge);
}
public void WriteCorsHeaders_WritesAllowMethods()
{
HttpResponseMessage response = new HttpResponseMessage();
CorsResult corsResult = new CorsResult();
corsResult.AllowedMethods.Add("DELETE");
corsResult.AllowedMethods.Add("PUT");
response.WriteCorsHeaders(corsResult);
HttpResponseHeaders headers = response.Headers;
Assert.Equal(1, headers.Count());
string[] allowMethods = headers.GetValues("Access-Control-Allow-Methods").FirstOrDefault().Split(',');
Assert.Contains("DELETE", allowMethods);
Assert.Contains("PUT", allowMethods);
}
public void WriteCorsHeaders_WritesAllowCredentials()
{
HttpResponseMessage response = new HttpResponseMessage();
CorsResult corsResult = new CorsResult {
SupportsCredentials = true
};
response.WriteCorsHeaders(corsResult);
HttpResponseHeaders headers = response.Headers;
Assert.Single(headers);
Assert.Equal(
"true",
headers.GetValues("Access-Control-Allow-Credentials").FirstOrDefault()
);
}
public void WriteCorsHeaders_WritesAllowMethods()
{
HttpResponseMessage response = new HttpResponseMessage();
CorsResult corsResult = new CorsResult();
corsResult.AllowedMethods.Add("DELETE");
corsResult.AllowedMethods.Add("PUT");
response.WriteCorsHeaders(corsResult);
HttpResponseHeaders headers = response.Headers;
Assert.Equal(1, headers.Count());
string[] allowMethods = headers.GetValues("Access-Control-Allow-Methods").FirstOrDefault().Split(',');
Assert.Contains("DELETE", allowMethods);
Assert.Contains("PUT", allowMethods);
}
public void EvaluatePolicy_AllowAnyOrigin_DoesNotSupportCredentials_EmitsWildcardForOrigin()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = false
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal("*", result.AllowedOrigin);
}
public void SettingNegativePreflightMaxAge_Throws()
{
// Arrange
var result = new CorsResult();
// Act
var exception = Assert.Throws<ArgumentOutOfRangeException>(() =>
{
result.PreflightMaxAge = TimeSpan.FromSeconds(-1);
});
// Assert
Assert.Equal(
"PreflightMaxAge must be greater than or equal to 0.\r\nParameter name: value",
exception.Message);
}
public void EvaluatePolicy_AllowAnyOrigin_SupportsCredentials_AddsSpecificOrigin()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal("foo", result.AllowedOrigin);
}
public void EvaluatePolicy_NoExposedHeaders_NoAllowExposedHeaders()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Empty(result.AllowedExposedHeaders);
}
public void EvaluatePolicy_NoMatchingOrigin_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy();
policy.Origins.Add("bar");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.False(result.IsValid);
Assert.Contains("The origin 'foo' is not allowed.", result.ErrorMessages);
}
public void WriteCorsHeaders_WritesAllowHeaders()
{
HttpResponseMessage response = new HttpResponseMessage();
CorsResult corsResult = new CorsResult();
corsResult.AllowedHeaders.Add("foo");
corsResult.AllowedHeaders.Add("bar");
response.WriteCorsHeaders(corsResult);
HttpResponseHeaders headers = response.Headers;
Assert.Single(headers);
string[] allowHeaders = headers.GetValues("Access-Control-Allow-Headers").FirstOrDefault().Split(',');
Assert.Contains("foo", allowHeaders);
Assert.Contains("bar", allowHeaders);
}
public void EvaluatePolicy_SupportsCredentials_AllowCredentialsReturnsTrue()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(result.SupportsCredentials);
}
public void ApplyResult_PreflightMaxAge_MaxAgeHeaderAdded()
{
// Arrange
var result = new CorsResult
{
PreflightMaxAge = TimeSpan.FromSeconds(30)
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("30", httpContext.Response.Headers["Access-Control-Max-Age"]);
}
public void SettingNegativePreflightMaxAge_Throws()
{
// Arrange
var result = new CorsResult();
// Act
var exception = Assert.Throws <ArgumentOutOfRangeException>(() =>
{
result.PreflightMaxAge = TimeSpan.FromSeconds(-1);
});
// Assert
Assert.Equal(
$"PreflightMaxAge must be greater than or equal to 0. (Parameter 'value')",
exception.Message);
}
public void ApplyResult_OneAllowExposedHeaders_ExposedHeadersHeaderAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedExposedHeaders.Add("foo");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("foo", httpContext.Response.Headers["Access-Control-Expose-Headers"]);
}
public void ApplyResult_OneAllowMethods_AllowMethodsHeaderAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedMethods.Add("PUT");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("PUT", httpContext.Response.Headers["Access-Control-Allow-Methods"]);
}
public void EvaluatePolicy_NoOrigin_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = null,
HttpMethod = "GET"
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, new CorsPolicy());
Assert.False(result.IsValid);
Assert.Contains(
"The request does not contain the Origin header.",
result.ErrorMessages
);
}
public void ApplyResult_AllowOrigin_AllowOriginHeaderAdded()
{
// Arrange
var result = new CorsResult
{
AllowedOrigin = "http://example.com"
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("http://example.com", httpContext.Response.Headers["Access-Control-Allow-Origin"]);
}
public void ApplyResult_NoPreflightMaxAge_MaxAgeHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
PreflightMaxAge = null
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Max-Age", httpContext.Response.Headers.Keys);
}
public void ApplyResult_NoAllowExposedHeaders_ExposedHeadersHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
// AllowExposedHeaders is empty by default
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Expose-Headers", httpContext.Response.Headers.Keys);
}
public void ApplyResult_NoAllowCredentials_AllowCredentialsHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
SupportsCredentials = false
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Allow-Credentials", httpContext.Response.Headers.Keys);
}
public void EvaluatePolicy_OneExposedHeaders_HeadersAllowed()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy {
AllowAnyOrigin = true
};
policy.ExposedHeaders.Add("foo");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal(1, result.AllowedExposedHeaders.Count);
Assert.Contains("foo", result.AllowedExposedHeaders);
}
public void ApplyResult_AddVaryHeader_VaryHeaderAdded()
{
// Arrange
var result = new CorsResult
{
VaryByOrigin = true
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("Origin", httpContext.Response.Headers["Vary"]);
}
protected async override Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
//根据当前请求创建CorsRequestContext
CorsRequestContext context = request.CreateCorsRequestContext();
//针对非预检请求:将请求传递给消息处理管道后续部分继续处理,并得到响应
HttpResponseMessage response = null;
if (!context.IsPreflight)
{
response = await base.SendAsync(request, cancellationToken);
}
//利用注册的CorsPolicyProviderFactory得到对应的CorsPolicyProvider
//借助于CorsPolicyProvider得到表示CORS资源授权策略的CorsPolicy
HttpConfiguration configuration = request.GetConfiguration();
CorsPolicy policy = await configuration.GetCorsPolicyProviderFactory().GetCorsPolicyProvider(request).GetCorsPolicyAsync(request, cancellationToken);
//获取注册的CorsEngine
//利用CorsEngine对请求实施CORS资源授权检验,并得到表示检验结果的CorsResult对象
ICorsEngine engine = configuration.GetCorsEngine();
CorsResult result = engine.EvaluatePolicy(context, policy);
//针对预检请求
//如果请求通过授权检验,返回一个状态为“200, OK”的响应并添加CORS报头
//如果授权检验失败,返回一个状态为“400, Bad Request”的响应并指定授权失败原因
if (context.IsPreflight)
{
if (result.IsValid)
{
response = new HttpResponseMessage(HttpStatusCode.OK);
response.AddCorsHeaders(result);
}
else
{
response = request.CreateErrorResponse(HttpStatusCode.BadRequest, string.Join(" |", result.ErrorMessages.ToArray()));
}
}
//针对非预检请求
//CORS报头只有在通过授权检验情况下才会被添加到响应报头集合中
else if (result.IsValid)
{
response.AddCorsHeaders(result);
}
return(response);
}
public void ToResponseHeaders_SomeSimpleAllowHeaders_AllowHeadersHeaderAddedForNonSimpleHeaders()
{
CorsResult result = new CorsResult();
result.AllowedHeaders.Add("Content-Language");
result.AllowedHeaders.Add("foo");
result.AllowedHeaders.Add("bar");
result.AllowedHeaders.Add("Accept");
IDictionary <string, string> headers = result.ToResponseHeaders();
Assert.Contains("Access-Control-Allow-Headers", headers.Keys);
string[] headerValues = headers["Access-Control-Allow-Headers"].Split(',');
Assert.Equal(2, headerValues.Length);
Assert.Contains("foo", headerValues);
Assert.Contains("bar", headerValues);
}
public void ApplyResult_NoAllowOrigin_AllowOriginHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
AllowedOrigin = null
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Allow-Origin", httpContext.Response.Headers.Keys);
}
public void ApplyResult_AllowCredentials_AllowCredentialsHeaderAdded()
{
// Arrange
var result = new CorsResult
{
SupportsCredentials = true
};
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
var httpContext = new DefaultHttpContext();
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("true", httpContext.Response.Headers["Access-Control-Allow-Credentials"]);
}
public void ApplyResult_AddVaryHeader_VaryHeaderAdded()
{
// Arrange
var result = new CorsResult
{
VaryByOrigin = true
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of <IOptions <CorsOptions> >());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("Origin", httpContext.Response.Headers["Vary"]);
}
public void ApplyResult_AllowOrigin_AllowOriginHeaderAdded()
{
// Arrange
var result = new CorsResult
{
AllowedOrigin = "http://example.com"
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("http://example.com", httpContext.Response.Headers["Access-Control-Allow-Origin"]);
}
public void TryValidateMethod_DoesCaseSensitiveComparison()
{
CorsEngine corsEngine = new CorsEngine();
CorsPolicy policy = new CorsPolicy();
policy.Methods.Add("POST");
CorsResult result = new CorsResult();
bool isValid = corsEngine.TryValidateMethod(new CorsRequestContext {
AccessControlRequestMethod = "post"
}, policy, result);
Assert.False(isValid);
Assert.Equal(1, result.ErrorMessages.Count);
Assert.Equal("The method 'post' is not allowed.", result.ErrorMessages[0]);
}
public void TryValidateOrigin_DoesCaseSensitiveComparison()
{
CorsEngine corsEngine = new CorsEngine();
CorsPolicy policy = new CorsPolicy();
policy.Origins.Add("http://Example.com");
CorsResult result = new CorsResult();
bool isValid = corsEngine.TryValidateOrigin(new CorsRequestContext {
Origin = "http://example.com"
}, policy, result);
Assert.False(isValid);
Assert.Equal(1, result.ErrorMessages.Count);
Assert.Equal("The origin 'http://example.com' is not allowed.", result.ErrorMessages[0]);
}
public void ToResponseHeaders_SomeSimpleAllowMethods_AllowMethodsHeaderAddedForNonSimpleMethods()
{
CorsResult result = new CorsResult();
result.AllowedMethods.Add("PUT");
result.AllowedMethods.Add("get");
result.AllowedMethods.Add("DELETE");
result.AllowedMethods.Add("POST");
IDictionary <string, string> headers = result.ToResponseHeaders();
Assert.Contains("Access-Control-Allow-Methods", headers.Keys);
string[] methods = headers["Access-Control-Allow-Methods"].Split(',');
Assert.Equal(2, methods.Length);
Assert.Contains("PUT", methods);
Assert.Contains("DELETE", methods);
}
public void ToResponseHeaders_ManyAllowExposedHeaders_ExposedHeadersHeaderAdded()
{
CorsResult result = new CorsResult();
result.AllowedExposedHeaders.Add("foo");
result.AllowedExposedHeaders.Add("bar");
result.AllowedExposedHeaders.Add("baz");
IDictionary <string, string> headers = result.ToResponseHeaders();
Assert.Contains("Access-Control-Expose-Headers", headers.Keys);
string[] exposedHeaderValues = headers["Access-Control-Expose-Headers"].Split(',');
Assert.Equal(3, exposedHeaderValues.Length);
Assert.Contains("foo", exposedHeaderValues);
Assert.Contains("bar", exposedHeaderValues);
Assert.Contains("baz", exposedHeaderValues);
}
/// <inheritdoc />
public CorsResult EvaluatePolicy(HttpContext context, CorsPolicy policy)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
if (policy.AllowAnyOrigin && policy.SupportsCredentials)
{
throw new ArgumentException(Resources.InsecureConfiguration, nameof(policy));
}
var requestHeaders = context.Request.Headers;
var origin = requestHeaders.Origin;
var isOptionsRequest = HttpMethods.IsOptions(context.Request.Method);
var isPreflightRequest = isOptionsRequest && requestHeaders.ContainsKey(CorsConstants.AccessControlRequestMethod);
if (isOptionsRequest && !isPreflightRequest)
{
_logger.IsNotPreflightRequest();
}
var corsResult = new CorsResult
{
IsPreflightRequest = isPreflightRequest,
IsOriginAllowed = IsOriginAllowed(policy, origin),
};
if (isPreflightRequest)
{
EvaluatePreflightRequest(context, policy, corsResult);
}
else
{
EvaluateRequest(context, policy, corsResult);
}
return(corsResult);
}
public void ToString_ReturnsThePropertyValues()
{
CorsResult corsResult = new CorsResult
{
SupportsCredentials = true,
PreflightMaxAge = 20,
AllowedOrigin = "*"
};
corsResult.AllowedExposedHeaders.Add("foo");
corsResult.AllowedHeaders.Add("bar");
corsResult.AllowedHeaders.Add("baz");
corsResult.AllowedMethods.Add("GET");
corsResult.ErrorMessages.Add("error1");
corsResult.ErrorMessages.Add("error2");
Assert.Equal(@"IsValid: False, AllowCredentials: True, PreflightMaxAge: 20, AllowOrigin: *, AllowExposedHeaders: {foo}, AllowHeaders: {bar,baz}, AllowMethods: {GET}, ErrorMessages: {error1,error2}", corsResult.ToString());
}
public void ApplyResult_PreflightMaxAge_MaxAgeHeaderAdded()
{
// Arrange
var result = new CorsResult
{
IsOriginAllowed = true,
IsPreflightRequest = true,
PreflightMaxAge = TimeSpan.FromSeconds(30),
};
var httpContext = new DefaultHttpContext();
var service = GetCorsService();
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("30", httpContext.Response.Headers["Access-Control-Max-Age"]);
}
public void ApplyResult_OneAllowExposedHeaders_ExposedHeadersHeaderAdded()
{
// Arrange
var result = new CorsResult
{
IsOriginAllowed = true,
AllowedExposedHeaders = { "foo" },
};
var httpContext = new DefaultHttpContext();
var service = GetCorsService();
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("foo", httpContext.Response.Headers["Access-Control-Expose-Headers"]);
}
public void ToString_ReturnsThePropertyValues()
{
// Arrange
var corsResult = new CorsResult
{
SupportsCredentials = true,
PreflightMaxAge = TimeSpan.FromSeconds(30),
AllowedOrigin = "*"
};
corsResult.AllowedExposedHeaders.Add("foo");
corsResult.AllowedHeaders.Add("bar");
corsResult.AllowedHeaders.Add("baz");
corsResult.AllowedMethods.Add("GET");
// Act
var result = corsResult.ToString();
// Assert
Assert.Equal(
@"AllowCredentials: True, PreflightMaxAge: 30, AllowOrigin: *," +
" AllowExposedHeaders: {foo}, AllowHeaders: {bar,baz}, AllowMethods: {GET}",
result);
}
public void ApplyResult_ManyAllowExposedHeaders_ExposedHeadersHeaderAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedExposedHeaders.Add("foo");
result.AllowedExposedHeaders.Add("bar");
result.AllowedExposedHeaders.Add("baz");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Contains("Access-Control-Expose-Headers", httpContext.Response.Headers.Keys);
var value = Assert.Single(httpContext.Response.Headers.Values);
Assert.Equal(new[] { "foo,bar,baz" }, value);
string[] exposedHeaderValues = httpContext.Response.Headers["Access-Control-Expose-Headers"].Split(',');
Assert.Equal(3, exposedHeaderValues.Length);
Assert.Contains("foo", exposedHeaderValues);
Assert.Contains("bar", exposedHeaderValues);
Assert.Contains("baz", exposedHeaderValues);
}
public void ApplyResult_NoAllowMethods_AllowMethodsHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
// AllowMethods is empty by default
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Allow-Methods", httpContext.Response.Headers.Keys);
}
public void ApplyResult_NoAllowOrigin_AllowOriginHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
AllowedOrigin = null
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Allow-Origin", httpContext.Response.Headers.Keys);
}
public void ApplyResult_NoPreflightMaxAge_MaxAgeHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
PreflightMaxAge = null
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Max-Age", httpContext.Response.Headers.Keys);
}
public void ApplyResult_ManyAllowHeaders_AllowHeadersHeaderAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedHeaders.Add("foo");
result.AllowedHeaders.Add("bar");
result.AllowedHeaders.Add("baz");
var httpContext = new DefaultHttpContext();
var service = new CorsService(new TestCorsOptions());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Contains("Access-Control-Allow-Headers", httpContext.Response.Headers.Keys);
var value = Assert.Single(httpContext.Response.Headers.Values);
Assert.Equal(new[] { "foo,bar,baz" }, value);
string[] headerValues = httpContext.Response.Headers.GetCommaSeparatedValues("Access-Control-Allow-Headers");
Assert.Equal(3, headerValues.Length);
Assert.Contains("foo", headerValues);
Assert.Contains("bar", headerValues);
Assert.Contains("baz", headerValues);
}
public void ApplyResult_OneAllowMethods_AllowMethodsHeaderAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedMethods.Add("PUT");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("PUT", httpContext.Response.Headers["Access-Control-Allow-Methods"]);
}
public void ApplyResult_OneAllowExposedHeaders_ExposedHeadersHeaderAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedExposedHeaders.Add("foo");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("foo", httpContext.Response.Headers["Access-Control-Expose-Headers"]);
}
public void ApplyResult_NoAllowCredentials_AllowCredentialsHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
SupportsCredentials = false
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Allow-Credentials", httpContext.Response.Headers.Keys);
}
public void ApplyResult_PreflightMaxAge_MaxAgeHeaderAdded()
{
// Arrange
var result = new CorsResult
{
PreflightMaxAge = TimeSpan.FromSeconds(30)
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("30", httpContext.Response.Headers["Access-Control-Max-Age"]);
}
public void ApplyResult_SimpleAllowMethods_AllowMethodsHeaderNotAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedMethods.Add("GET");
result.AllowedMethods.Add("HEAD");
result.AllowedMethods.Add("POST");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Allow-Methods", httpContext.Response.Headers.Keys);
}
public void ApplyResult_SimpleAllowHeaders_AllowHeadersHeaderNotAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedHeaders.Add("Accept");
result.AllowedHeaders.Add("Accept-Language");
result.AllowedHeaders.Add("Content-Language");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Allow-Headers", httpContext.Response.Headers.Keys);
}
public void ApplyResult_ReturnsNoHeaders_ByDefault()
{
// Arrange
var result = new CorsResult();
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Empty(httpContext.Response.Headers);
}
public void ApplyResult_SomeSimpleAllowHeaders_AllowHeadersHeaderAddedForNonSimpleHeaders()
{
// Arrange
var result = new CorsResult();
result.AllowedHeaders.Add("Content-Language");
result.AllowedHeaders.Add("foo");
result.AllowedHeaders.Add("bar");
result.AllowedHeaders.Add("Accept");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Contains("Access-Control-Allow-Headers", httpContext.Response.Headers.Keys);
string[] headerValues = httpContext.Response.Headers["Access-Control-Allow-Headers"].Split(',');
Assert.Equal(2, headerValues.Length);
Assert.Contains("foo", headerValues);
Assert.Contains("bar", headerValues);
}
public void ApplyResult_NoAllowExposedHeaders_ExposedHeadersHeaderNotAdded()
{
// Arrange
var result = new CorsResult
{
// AllowExposedHeaders is empty by default
};
var httpContext = new DefaultHttpContext();
var service = new CorsService(new TestCorsOptions());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.DoesNotContain("Access-Control-Expose-Headers", httpContext.Response.Headers.Keys);
}
public void ApplyResult_SomeSimpleAllowMethods_AllowMethodsHeaderAddedForNonSimpleMethods()
{
// Arrange
var result = new CorsResult();
result.AllowedMethods.Add("PUT");
result.AllowedMethods.Add("get");
result.AllowedMethods.Add("DELETE");
result.AllowedMethods.Add("POST");
var httpContext = new DefaultHttpContext();
var service = new CorsService(Mock.Of<IOptions<CorsOptions>>());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Contains("Access-Control-Allow-Methods", httpContext.Response.Headers.Keys);
var value = Assert.Single(httpContext.Response.Headers.Values);
Assert.Equal(new[] { "PUT,DELETE" }, value);
var methods = httpContext.Response.Headers["Access-Control-Allow-Methods"].Split(',');
Assert.Equal(2, methods.Length);
Assert.Contains("PUT", methods);
Assert.Contains("DELETE", methods);
}
public void ApplyResult_OneAllowHeaders_AllowHeadersHeaderAdded()
{
// Arrange
var result = new CorsResult();
result.AllowedHeaders.Add("foo");
var httpContext = new DefaultHttpContext();
var service = new CorsService(new TestCorsOptions());
// Act
service.ApplyResult(result, httpContext.Response);
// Assert
Assert.Equal("foo", httpContext.Response.Headers["Access-Control-Allow-Headers"]);
}
