Fix cors with creds (#193)

This commit is contained in:
Javier Calvarro Nelson 2018-10-24 12:56:07 -07:00 committed by GitHub
parent 50dff844b2
commit aa88f16b08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 15 deletions

View File

@ -136,10 +136,17 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
result.SupportsCredentials = policy.SupportsCredentials; result.SupportsCredentials = policy.SupportsCredentials;
result.PreflightMaxAge = policy.PreflightMaxAge; result.PreflightMaxAge = policy.PreflightMaxAge;
// https://fetch.spec.whatwg.org/#http-new-header-syntax
AddHeaderValues(result.AllowedExposedHeaders, policy.ExposedHeaders); AddHeaderValues(result.AllowedExposedHeaders, policy.ExposedHeaders);
AddHeaderValues(result.AllowedMethods, policy.Methods);
AddHeaderValues(result.AllowedHeaders, policy.Headers); var allowedMethods = policy.AllowAnyMethod && policy.SupportsCredentials ?
new[] { result.IsPreflightRequest ? (string)context.Request.Headers[CorsConstants.AccessControlRequestMethod] : context.Request.Method }
: policy.Methods;
AddHeaderValues(result.AllowedMethods, allowedMethods);
var allowedHeaders = policy.AllowAnyHeader && policy.SupportsCredentials ?
context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestHeaders) : policy.Headers;
AddHeaderValues(result.AllowedHeaders, allowedHeaders);
} }
public virtual void EvaluateRequest(HttpContext context, CorsPolicy policy, CorsResult result) public virtual void EvaluateRequest(HttpContext context, CorsPolicy policy, CorsResult result)

View File

@ -6,7 +6,7 @@ const corsServerPath = `http://${hostname}:9000`;
// e.g., npm test --debug // e.g., npm test --debug
// In debug mode we show the editor, slow down operations, and increase the timeout for each test // In debug mode we show the editor, slow down operations, and increase the timeout for each test
const debug = process.env.npm_config_debug || false; let debug = process.env.npm_config_debug || false;
jest.setTimeout(debug ? 60000 : 30000); jest.setTimeout(debug ? 60000 : 30000);
let browser; let browser;
@ -38,8 +38,8 @@ describe('Browser is initialized', () => {
test('no errors on launch', () => { test('no errors on launch', () => {
expect(error).toBeUndefined(); expect(error).toBeUndefined();
expect(browser).toBeDefined(); expect(browser).toBeDefined();
}) });
}) });
describe('CORS allowed origin tests ', () => { describe('CORS allowed origin tests ', () => {
const testPagePath = `http://${hostname}:9001/`; const testPagePath = `http://${hostname}:9001/`;
@ -176,7 +176,11 @@ describe('CORS allowed origin tests ', () => {
test('allows Preflighted request with credentials', async () => { test('allows Preflighted request with credentials', async () => {
const result = await page.evaluate(async (corsServerPath) => { const result = await page.evaluate(async (corsServerPath) => {
const url = `${corsServerPath}/allow-credentials`; const url = `${corsServerPath}/allow-credentials`;
const options = { method: 'PUT', mode: 'cors', credentials: 'include' }; const options = {
method: 'PUT', mode: 'cors', credentials: 'include', headers: new Headers({
'X-Custom-Header': 'X-Custom-Value'
})
};
const response = await fetch(url, options); const response = await fetch(url, options);
return response.status; return response.status;

View File

@ -192,7 +192,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
} }
[Fact] [Fact]
public async Task PreFlight_WithCredentialsAllowed_ReturnsWildcardValues() public async Task PreFlight_WithCredentialsAllowed_ReflectsRequestHeaders()
{ {
// Arrange // Arrange
var policy = new CorsPolicyBuilder(OriginUrl) var policy = new CorsPolicyBuilder(OriginUrl)
@ -240,12 +240,12 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
kvp => kvp =>
{ {
Assert.Equal(CorsConstants.AccessControlAllowHeaders, kvp.Key); Assert.Equal(CorsConstants.AccessControlAllowHeaders, kvp.Key);
Assert.Equal(new[] { "*" }, kvp.Value); Assert.Equal(new[] { "X-Test1,X-Test2" }, kvp.Value);
}, },
kvp => kvp =>
{ {
Assert.Equal(CorsConstants.AccessControlAllowMethods, kvp.Key); Assert.Equal(CorsConstants.AccessControlAllowMethods, kvp.Key);
Assert.Equal(new[] { "*" }, kvp.Value); Assert.Equal(new[] { "PUT" }, kvp.Value);
}, },
kvp => kvp =>
{ {

View File

@ -492,7 +492,6 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
policy.Origins.Add(CorsConstants.AnyOrigin); policy.Origins.Add(CorsConstants.AnyOrigin);
policy.Methods.Add("*"); policy.Methods.Add("*");
policy.Headers.Add("*"); policy.Headers.Add("*");
policy.SupportsCredentials = true;
// Act // Act
var result = corsService.EvaluatePolicy(requestContext, policy); var result = corsService.EvaluatePolicy(requestContext, policy);
@ -527,7 +526,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
} }
[Fact] [Fact]
public void EvaluatePolicy_PreflightRequest_WithCredentials_ReturnsWildCard() public void EvaluatePolicy_PreflightRequest_WithCredentials_ReflectsHeaders()
{ {
// Arrange // Arrange
var corsService = GetCorsService(); var corsService = GetCorsService();
@ -543,8 +542,8 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
// Assert // Assert
Assert.NotNull(result); Assert.NotNull(result);
Assert.Equal(new[] { "*" }, result.AllowedMethods); Assert.Equal(new[] { "PUT" }, result.AllowedMethods);
Assert.Equal(new[] { "*" }, result.AllowedHeaders); Assert.Empty(result.AllowedHeaders);
Assert.True(result.SupportsCredentials); Assert.True(result.SupportsCredentials);
} }

View File

@ -4,6 +4,8 @@
<handlers> <handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" /> <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers> </handlers>
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false" /> <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false">
<environmentVariables />
</aspNetCore>
</system.webServer> </system.webServer>
</configuration> </configuration>