support Origin: null in csrf_trusted_origins and check_origin=False

author: Michael Merickel <michael@merickel.org> 2019-09-30 21:27:20 -0500
committer: Michael Merickel <michael@merickel.org> 2019-10-17 22:49:49 -0500
commit: 8b7b7cbf9058312f0bf6b044cfa388f807eff739 (patch)
tree: 1b7de5c2b62928aea23372adb2b95b42aa5eab0c /tests/test_csrf.py
parent: 2153b4b878d77aa0cb5b79805dd185d133c26451 (diff)
download: pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.tar.gz
pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.tar.bz2
pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.zip
1 files changed, 41 insertions, 1 deletions
diff --git a/tests/test_csrf.py b/tests/test_csrf.py
index f93a1afde..ae998ec95 100644
--- a/tests/test_csrf.py
+++ b/tests/test_csrf.py
@@ -387,8 +387,48 @@ class Test_check_csrf_origin(unittest.TestCase):
         request = testing.DummyRequest()
         request.scheme = "https"
         request.referrer = None
-        self.assertRaises(BadCSRFOrigin, self._callFUT, request)
+        self.assertRaises(
+            BadCSRFOrigin, self._callFUT, request, allow_no_origin=False
+        )
+        self.assertFalse(
+            self._callFUT(request, raises=False, allow_no_origin=False)
+        )
+
+    def test_fail_with_null_origin(self):
+        from pyramid.exceptions import BadCSRFOrigin
+
+        request = testing.DummyRequest()
+        request.scheme = "https"
+        request.host = "example.com"
+        request.host_port = "443"
+        request.referrer = None
+        request.headers = {'Origin': 'null'}
+        request.registry.settings = {}
         self.assertFalse(self._callFUT(request, raises=False))
+        self.assertRaises(BadCSRFOrigin, self._callFUT, request)
+
+    def test_success_with_null_origin_and_setting(self):
+        request = testing.DummyRequest()
+        request.scheme = "https"
+        request.host = "example.com"
+        request.host_port = "443"
+        request.referrer = None
+        request.headers = {'Origin': 'null'}
+        request.registry.settings = {"pyramid.csrf_trusted_origins": ["null"]}
+        self.assertTrue(self._callFUT(request, raises=False))
+
+    def test_success_with_multiple_origins(self):
+        request = testing.DummyRequest()
+        request.scheme = "https"
+        request.host = "example.com"
+        request.host_port = "443"
+        request.headers = {
+            'Origin': 'https://google.com https://not-example.com'
+        }
+        request.registry.settings = {
+            "pyramid.csrf_trusted_origins": ["not-example.com"]
+        }
+        self.assertTrue(self._callFUT(request, raises=False))
 
     def test_fails_when_http_to_https(self):
         from pyramid.exceptions import BadCSRFOrigin
author	Michael Merickel <michael@merickel.org>	2019-09-30 21:27:20 -0500
committer	Michael Merickel <michael@merickel.org>	2019-10-17 22:49:49 -0500
commit	8b7b7cbf9058312f0bf6b044cfa388f807eff739 (patch)
tree	1b7de5c2b62928aea23372adb2b95b42aa5eab0c /tests/test_csrf.py
parent	2153b4b878d77aa0cb5b79805dd185d133c26451 (diff)
download	pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.tar.gz pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.tar.bz2 pyramid-8b7b7cbf9058312f0bf6b044cfa388f807eff739.zip