Added a test verifying that the cache headers are not set after the response has started.

2018-01-22 17:51:13 -08:00 · 2018-01-22 17:51:13 -08:00 · 763393efc4
parent ea38977599
commit 763393efc4
1 changed files with 59 additions and 0 deletions
--- a/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTest.cs
+++ b/test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTest.cs
@ -6,6 +6,7 @@ using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Features;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Testing;
@ -1137,6 +1138,47 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
            context.TokenSerializer.Verify(s => s.Deserialize(null), Times.Never);
        }

+        [Fact]
+        public void SetCookieTokenAndHeader_DoesNotModifyHeadersAfterResponseHasStarted()
+        {
+            // Arrange
+            var antiforgeryFeature = new AntiforgeryFeature
+            {
+                HaveDeserializedCookieToken = false,
+                HaveGeneratedNewCookieToken = false,
+                HaveStoredNewCookieToken = true,
+                NewCookieToken = new AntiforgeryToken(),
+                NewCookieTokenString = "serialized-cookie-token-from-context",
+                NewRequestToken = new AntiforgeryToken(),
+                NewRequestTokenString = "serialized-form-token-from-context",
+            };
+            var context = CreateMockContext(
+                new AntiforgeryOptions(),
+                useOldCookie: false,
+                isOldCookieValid: false,
+                antiforgeryFeature: antiforgeryFeature);
+            var testTokenSet = new TestTokenSet
+            {
+                OldCookieTokenString = null
+            };
+
+            var nullTokenStore = GetTokenStore(context.HttpContext, testTokenSet, false);
+            var antiforgery = GetAntiforgery(
+                context.HttpContext,
+                tokenGenerator: context.TokenGenerator.Object,
+                tokenStore: nullTokenStore.Object);
+
+            TestResponseFeature testResponse = new TestResponseFeature();
+            context.HttpContext.Features.Set<IHttpResponseFeature>(testResponse);
+            context.HttpContext.Response.Headers["Cache-Control"] = "public";
+            testResponse.StartResponse();
+
+            // Act
+            antiforgery.SetCookieTokenAndHeader(context.HttpContext);
+
+            Assert.Equal("public", context.HttpContext.Response.Headers["Cache-Control"]);
+        }
+
        [Fact]
        public void GetAndStoreTokens_DoesNotLogWarning_IfNoExistingCacheHeadersPresent()
        {
@ -1196,6 +1238,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
            var antiforgery = GetAntiforgery(context);
            context.HttpContext.Response.Headers[headerName] = headerValue;

+            //context.HttpContext.Features
            // Act
            var tokenSet = antiforgery.GetAndStoreTokens(context.HttpContext);

@ -1435,5 +1478,21 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
        {
            public AntiforgeryOptions Value { get; set; } = new AntiforgeryOptions();
        }
+
+        private class TestResponseFeature : HttpResponseFeature
+        {
+            private bool _hasStarted = false;
+
+            public override bool HasStarted { get => _hasStarted; }
+
+            public TestResponseFeature()
+            {
+            }
+
+            public void StartResponse()
+            {
+                _hasStarted = true;
+            }
+        }
    }
 }