React to CORS changes
This commit is contained in:
parent
9daf5ff7a4
commit
f6fc34aff9
|
|
@ -28,7 +28,7 @@
|
||||||
<MicrosoftAspNetCoreBenchmarkRunnerSourcesPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreBenchmarkRunnerSourcesPackageVersion>
|
<MicrosoftAspNetCoreBenchmarkRunnerSourcesPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreBenchmarkRunnerSourcesPackageVersion>
|
||||||
<MicrosoftAspNetCoreChunkingCookieManagerSourcesPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreChunkingCookieManagerSourcesPackageVersion>
|
<MicrosoftAspNetCoreChunkingCookieManagerSourcesPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreChunkingCookieManagerSourcesPackageVersion>
|
||||||
<MicrosoftAspNetCoreCookiePolicyPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreCookiePolicyPackageVersion>
|
<MicrosoftAspNetCoreCookiePolicyPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreCookiePolicyPackageVersion>
|
||||||
<MicrosoftAspNetCoreCorsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreCorsPackageVersion>
|
<MicrosoftAspNetCoreCorsPackageVersion>2.2.0-a-preview3-22cors-16556</MicrosoftAspNetCoreCorsPackageVersion>
|
||||||
<MicrosoftAspNetCoreDiagnosticsAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreDiagnosticsAbstractionsPackageVersion>
|
<MicrosoftAspNetCoreDiagnosticsAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreDiagnosticsAbstractionsPackageVersion>
|
||||||
<MicrosoftAspNetCoreDiagnosticsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreDiagnosticsPackageVersion>
|
<MicrosoftAspNetCoreDiagnosticsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreDiagnosticsPackageVersion>
|
||||||
<MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
|
<MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
|
||||||
|
|
|
||||||
|
|
@ -102,7 +102,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
|
||||||
[InlineData("HEAD")]
|
[InlineData("HEAD")]
|
||||||
[InlineData("POST")]
|
[InlineData("POST")]
|
||||||
[InlineData("PUT")]
|
[InlineData("PUT")]
|
||||||
public async Task PolicyFailed_Disallows_PreFlightRequest(string method)
|
public async Task OriginMatched_ReturnsHeaders(string method)
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
var request = new HttpRequestMessage(
|
var request = new HttpRequestMessage(
|
||||||
|
|
@ -120,7 +120,18 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
|
||||||
// Assert
|
// Assert
|
||||||
// MVC applied the policy and since that did not pass, there were no access control headers.
|
// MVC applied the policy and since that did not pass, there were no access control headers.
|
||||||
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
||||||
Assert.Empty(response.Headers);
|
Assert.Collection(
|
||||||
|
response.Headers.OrderBy(h => h.Key),
|
||||||
|
h =>
|
||||||
|
{
|
||||||
|
Assert.Equal(CorsConstants.AccessControlAllowMethods, h.Key);
|
||||||
|
Assert.Equal(new[] { "GET,POST,HEAD" }, h.Value);
|
||||||
|
},
|
||||||
|
h =>
|
||||||
|
{
|
||||||
|
Assert.Equal(CorsConstants.AccessControlAllowOrigin, h.Key);
|
||||||
|
Assert.Equal(new[] { "*" }, h.Value);
|
||||||
|
});
|
||||||
|
|
||||||
// It should short circuit and hence no result.
|
// It should short circuit and hence no result.
|
||||||
var content = await response.Content.ReadAsStringAsync();
|
var content = await response.Content.ReadAsStringAsync();
|
||||||
|
|
@ -146,7 +157,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
|
||||||
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
||||||
var responseHeaders = response.Headers;
|
var responseHeaders = response.Headers;
|
||||||
Assert.Equal(
|
Assert.Equal(
|
||||||
new[] { "http://example.com" },
|
new[] { "*" },
|
||||||
responseHeaders.GetValues(CorsConstants.AccessControlAllowOrigin).ToArray());
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowOrigin).ToArray());
|
||||||
Assert.Equal(
|
Assert.Equal(
|
||||||
new[] { "true" },
|
new[] { "true" },
|
||||||
|
|
@ -179,16 +190,16 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
|
||||||
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
||||||
var responseHeaders = response.Headers;
|
var responseHeaders = response.Headers;
|
||||||
Assert.Equal(
|
Assert.Equal(
|
||||||
new[] { "http://example.com" },
|
new[] { "*" },
|
||||||
responseHeaders.GetValues(CorsConstants.AccessControlAllowOrigin).ToArray());
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowOrigin).ToArray());
|
||||||
Assert.Equal(
|
Assert.Equal(
|
||||||
new[] { "true" },
|
new[] { "true" },
|
||||||
responseHeaders.GetValues(CorsConstants.AccessControlAllowCredentials).ToArray());
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowCredentials).ToArray());
|
||||||
Assert.Equal(
|
Assert.Equal(
|
||||||
new[] { "header1,header2" },
|
new[] { "*" },
|
||||||
responseHeaders.GetValues(CorsConstants.AccessControlAllowHeaders).ToArray());
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowHeaders).ToArray());
|
||||||
Assert.Equal(
|
Assert.Equal(
|
||||||
new[] { "PUT" },
|
new[] { "PUT,POST" },
|
||||||
responseHeaders.GetValues(CorsConstants.AccessControlAllowMethods).ToArray());
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowMethods).ToArray());
|
||||||
|
|
||||||
var content = await response.Content.ReadAsStringAsync();
|
var content = await response.Content.ReadAsStringAsync();
|
||||||
|
|
@ -270,12 +281,43 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
|
||||||
Assert.Empty(content);
|
Assert.Empty(content);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Fact]
|
||||||
[InlineData("http://localhost/api/store/actionusingcontrollercorssettings")]
|
public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnController()
|
||||||
[InlineData("http://localhost/api/store/actionwithcorssettings")]
|
|
||||||
public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters(string url)
|
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
|
var url = "http://localhost/api/store/actionusingcontrollercorssettings";
|
||||||
|
var request = new HttpRequestMessage(new HttpMethod(CorsConstants.PreflightHttpMethod), url);
|
||||||
|
|
||||||
|
// Adding a custom header makes it a non-simple request.
|
||||||
|
request.Headers.Add(CorsConstants.Origin, "http://example.com");
|
||||||
|
request.Headers.Add(CorsConstants.AccessControlRequestMethod, "GET");
|
||||||
|
request.Headers.Add(CorsConstants.AccessControlRequestHeaders, "Custom");
|
||||||
|
|
||||||
|
// Act
|
||||||
|
var response = await Client.SendAsync(request);
|
||||||
|
|
||||||
|
// Assert
|
||||||
|
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
||||||
|
var responseHeaders = response.Headers;
|
||||||
|
Assert.Equal(
|
||||||
|
new[] { "*" },
|
||||||
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowOrigin).ToArray());
|
||||||
|
Assert.Equal(
|
||||||
|
new[] { "true" },
|
||||||
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowCredentials).ToArray());
|
||||||
|
Assert.Equal(
|
||||||
|
new[] { "*" },
|
||||||
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowHeaders).ToArray());
|
||||||
|
|
||||||
|
var content = await response.Content.ReadAsStringAsync();
|
||||||
|
Assert.Empty(content);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnAction()
|
||||||
|
{
|
||||||
|
// Arrange
|
||||||
|
var url = "http://localhost/api/store/actionwithcorssettings";
|
||||||
var request = new HttpRequestMessage(new HttpMethod(CorsConstants.PreflightHttpMethod), url);
|
var request = new HttpRequestMessage(new HttpMethod(CorsConstants.PreflightHttpMethod), url);
|
||||||
|
|
||||||
// Adding a custom header makes it a non-simple request.
|
// Adding a custom header makes it a non-simple request.
|
||||||
|
|
@ -296,7 +338,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
|
||||||
new[] { "true" },
|
new[] { "true" },
|
||||||
responseHeaders.GetValues(CorsConstants.AccessControlAllowCredentials).ToArray());
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowCredentials).ToArray());
|
||||||
Assert.Equal(
|
Assert.Equal(
|
||||||
new[] { "Custom" },
|
new[] { "*" },
|
||||||
responseHeaders.GetValues(CorsConstants.AccessControlAllowHeaders).ToArray());
|
responseHeaders.GetValues(CorsConstants.AccessControlAllowHeaders).ToArray());
|
||||||
|
|
||||||
var content = await response.Content.ReadAsStringAsync();
|
var content = await response.Content.ReadAsStringAsync();
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue