Merge "Fix duplication for headers in Access-Control-Expose-Headers"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
2087dedc95
@ -235,17 +235,17 @@ def cors_validation(func):
|
|||||||
# - headers provided by the user in
|
# - headers provided by the user in
|
||||||
# x-container-meta-access-control-expose-headers
|
# x-container-meta-access-control-expose-headers
|
||||||
if 'Access-Control-Expose-Headers' not in resp.headers:
|
if 'Access-Control-Expose-Headers' not in resp.headers:
|
||||||
expose_headers = [
|
expose_headers = set([
|
||||||
'cache-control', 'content-language', 'content-type',
|
'cache-control', 'content-language', 'content-type',
|
||||||
'expires', 'last-modified', 'pragma', 'etag',
|
'expires', 'last-modified', 'pragma', 'etag',
|
||||||
'x-timestamp', 'x-trans-id']
|
'x-timestamp', 'x-trans-id'])
|
||||||
for header in resp.headers:
|
for header in resp.headers:
|
||||||
if header.startswith('X-Container-Meta') or \
|
if header.startswith('X-Container-Meta') or \
|
||||||
header.startswith('X-Object-Meta'):
|
header.startswith('X-Object-Meta'):
|
||||||
expose_headers.append(header.lower())
|
expose_headers.add(header.lower())
|
||||||
if cors_info.get('expose_headers'):
|
if cors_info.get('expose_headers'):
|
||||||
expose_headers.extend(
|
expose_headers = expose_headers.union(
|
||||||
[header_line.strip()
|
[header_line.strip().lower()
|
||||||
for header_line in
|
for header_line in
|
||||||
cors_info['expose_headers'].split(' ')
|
cors_info['expose_headers'].split(' ')
|
||||||
if header_line.strip()])
|
if header_line.strip()])
|
||||||
|
|||||||
@ -5847,7 +5847,9 @@ class TestObjectController(unittest.TestCase):
|
|||||||
def stubContainerInfo(*args):
|
def stubContainerInfo(*args):
|
||||||
return {
|
return {
|
||||||
'cors': {
|
'cors': {
|
||||||
'allow_origin': 'http://not.foo.bar'
|
'allow_origin': 'http://not.foo.bar',
|
||||||
|
'expose_headers': 'X-Object-Meta-Color '
|
||||||
|
'X-Object-Meta-Color-Ex'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
controller.container_info = stubContainerInfo
|
controller.container_info = stubContainerInfo
|
||||||
@ -5872,14 +5874,15 @@ class TestObjectController(unittest.TestCase):
|
|||||||
self.assertEqual('red', resp.headers['x-object-meta-color'])
|
self.assertEqual('red', resp.headers['x-object-meta-color'])
|
||||||
# X-Super-Secret is in the response, but not "exposed"
|
# X-Super-Secret is in the response, but not "exposed"
|
||||||
self.assertEqual('hush', resp.headers['x-super-secret'])
|
self.assertEqual('hush', resp.headers['x-super-secret'])
|
||||||
self.assertTrue('access-control-expose-headers' in resp.headers)
|
self.assertIn('access-control-expose-headers', resp.headers)
|
||||||
exposed = set(
|
exposed = set(
|
||||||
h.strip() for h in
|
h.strip() for h in
|
||||||
resp.headers['access-control-expose-headers'].split(','))
|
resp.headers['access-control-expose-headers'].split(','))
|
||||||
expected_exposed = set(['cache-control', 'content-language',
|
expected_exposed = set(['cache-control', 'content-language',
|
||||||
'content-type', 'expires', 'last-modified',
|
'content-type', 'expires', 'last-modified',
|
||||||
'pragma', 'etag', 'x-timestamp',
|
'pragma', 'etag', 'x-timestamp',
|
||||||
'x-trans-id', 'x-object-meta-color'])
|
'x-trans-id', 'x-object-meta-color',
|
||||||
|
'x-object-meta-color-ex'])
|
||||||
self.assertEqual(expected_exposed, exposed)
|
self.assertEqual(expected_exposed, exposed)
|
||||||
|
|
||||||
controller.app.strict_cors_mode = True
|
controller.app.strict_cors_mode = True
|
||||||
@ -5891,7 +5894,49 @@ class TestObjectController(unittest.TestCase):
|
|||||||
resp = cors_validation(objectGET)(controller, req)
|
resp = cors_validation(objectGET)(controller, req)
|
||||||
|
|
||||||
self.assertEqual(200, resp.status_int)
|
self.assertEqual(200, resp.status_int)
|
||||||
self.assertTrue('access-control-allow-origin' not in resp.headers)
|
self.assertNotIn('access-control-expose-headers', resp.headers)
|
||||||
|
self.assertNotIn('access-control-allow-origin', resp.headers)
|
||||||
|
|
||||||
|
controller.app.strict_cors_mode = False
|
||||||
|
|
||||||
|
def stubContainerInfoWithAsteriskAllowOrigin(*args):
|
||||||
|
return {
|
||||||
|
'cors': {
|
||||||
|
'allow_origin': '*'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
controller.container_info = \
|
||||||
|
stubContainerInfoWithAsteriskAllowOrigin
|
||||||
|
|
||||||
|
req = Request.blank(
|
||||||
|
'/v1/a/c/o.jpg',
|
||||||
|
{'REQUEST_METHOD': 'GET'},
|
||||||
|
headers={'Origin': 'http://foo.bar'})
|
||||||
|
|
||||||
|
resp = cors_validation(objectGET)(controller, req)
|
||||||
|
|
||||||
|
self.assertEqual(200, resp.status_int)
|
||||||
|
self.assertEqual('*',
|
||||||
|
resp.headers['access-control-allow-origin'])
|
||||||
|
|
||||||
|
def stubContainerInfoWithEmptyAllowOrigin(*args):
|
||||||
|
return {
|
||||||
|
'cors': {
|
||||||
|
'allow_origin': ''
|
||||||
|
}
|
||||||
|
}
|
||||||
|
controller.container_info = stubContainerInfoWithEmptyAllowOrigin
|
||||||
|
|
||||||
|
req = Request.blank(
|
||||||
|
'/v1/a/c/o.jpg',
|
||||||
|
{'REQUEST_METHOD': 'GET'},
|
||||||
|
headers={'Origin': 'http://foo.bar'})
|
||||||
|
|
||||||
|
resp = cors_validation(objectGET)(controller, req)
|
||||||
|
|
||||||
|
self.assertEqual(200, resp.status_int)
|
||||||
|
self.assertEqual('http://foo.bar',
|
||||||
|
resp.headers['access-control-allow-origin'])
|
||||||
|
|
||||||
def test_CORS_valid_with_obj_headers(self):
|
def test_CORS_valid_with_obj_headers(self):
|
||||||
with save_globals():
|
with save_globals():
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user