Add allow_no_origin option to CSRF.

3 files changed, 30 insertions, 0 deletions

diff --git a/tests/test_config/test_security.py b/tests/test_config/test_security.py
index 5ebd78f8d..6257960b8 100644
--- a/tests/test_config/test_security.py
+++ b/tests/test_config/test_security.py
@@ -126,6 +126,7 @@ class ConfiguratorSecurityMethodsTests(unittest.TestCase):
             list(sorted(result.safe_methods)),
             ['GET', 'HEAD', 'OPTIONS', 'TRACE'],
         )
+        self.assertFalse(result.allow_no_origin)
         self.assertTrue(result.callback is None)
 
     def test_changing_set_default_csrf_options(self):
@@ -141,6 +142,7 @@ class ConfiguratorSecurityMethodsTests(unittest.TestCase):
             token='DUMMY',
             header=None,
             safe_methods=('PUT',),
+            allow_no_origin=True,
             callback=callback,
         )
         result = config.registry.getUtility(IDefaultCSRFOptions)
@@ -148,4 +150,5 @@ class ConfiguratorSecurityMethodsTests(unittest.TestCase):
         self.assertEqual(result.token, 'DUMMY')
         self.assertEqual(result.header, None)
         self.assertEqual(list(sorted(result.safe_methods)), ['PUT'])
+        self.assertTrue(result.allow_no_origin)
         self.assertTrue(result.callback is callback)
diff --git a/tests/test_csrf.py b/tests/test_csrf.py
index d1b569c32..f93a1afde 100644
--- a/tests/test_csrf.py
+++ b/tests/test_csrf.py
@@ -363,6 +363,12 @@ class Test_check_csrf_origin(unittest.TestCase):
         request.registry.settings = {}
         self.assertTrue(self._callFUT(request))
 
+    def test_success_with_allow_no_origin(self):
+        request = testing.DummyRequest()
+        request.scheme = "https"
+        request.referrer = None
+        self.assertTrue(self._callFUT(request, allow_no_origin=True))
+
     def test_fails_with_wrong_host(self):
         from pyramid.exceptions import BadCSRFOrigin
 
diff --git a/tests/test_viewderivers.py b/tests/test_viewderivers.py
index f01cb490e..3ca5f8534 100644
--- a/tests/test_viewderivers.py
+++ b/tests/test_viewderivers.py
@@ -1504,6 +1504,27 @@ class TestDeriveView(unittest.TestCase):
         result = view(None, request)
         self.assertTrue(result is response)
 
+    def test_csrf_view_allow_no_origin(self):
+        response = DummyResponse()
+
+        def inner_view(request):
+            return response
+
+        self.config.set_default_csrf_options(
+            require_csrf=True, allow_no_origin=True
+        )
+        request = self._makeRequest()
+        request.scheme = "https"
+        request.domain = "example.com"
+        request.host_port = "443"
+        request.referrer = None
+        request.method = 'POST'
+        request.session = DummySession({'csrf_token': 'foo'})
+        request.POST = {'csrf_token': 'foo'}
+        view = self.config._derive_view(inner_view, require_csrf=True)
+        result = view(None, request)
+        self.assertTrue(result is response)
+
     def test_csrf_view_fails_on_bad_PUT_header(self):
         from pyramid.exceptions import BadCSRFToken