From 8b7b7cbf9058312f0bf6b044cfa388f807eff739 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Mon, 30 Sep 2019 21:27:20 -0500
Subject: support Origin: null in csrf_trusted_origins and check_origin=False

---
 tests/test_csrf.py | 42 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

(limited to 'tests/test_csrf.py')

diff --git a/tests/test_csrf.py b/tests/test_csrf.py
index f93a1afde..ae998ec95 100644
--- a/tests/test_csrf.py
+++ b/tests/test_csrf.py
@@ -387,8 +387,48 @@ class Test_check_csrf_origin(unittest.TestCase):
         request = testing.DummyRequest()
         request.scheme = "https"
         request.referrer = None
-        self.assertRaises(BadCSRFOrigin, self._callFUT, request)
+        self.assertRaises(
+            BadCSRFOrigin, self._callFUT, request, allow_no_origin=False
+        )
+        self.assertFalse(
+            self._callFUT(request, raises=False, allow_no_origin=False)
+        )
+
+    def test_fail_with_null_origin(self):
+        from pyramid.exceptions import BadCSRFOrigin
+
+        request = testing.DummyRequest()
+        request.scheme = "https"
+        request.host = "example.com"
+        request.host_port = "443"
+        request.referrer = None
+        request.headers = {'Origin': 'null'}
+        request.registry.settings = {}
         self.assertFalse(self._callFUT(request, raises=False))
+        self.assertRaises(BadCSRFOrigin, self._callFUT, request)
+
+    def test_success_with_null_origin_and_setting(self):
+        request = testing.DummyRequest()
+        request.scheme = "https"
+        request.host = "example.com"
+        request.host_port = "443"
+        request.referrer = None
+        request.headers = {'Origin': 'null'}
+        request.registry.settings = {"pyramid.csrf_trusted_origins": ["null"]}
+        self.assertTrue(self._callFUT(request, raises=False))
+
+    def test_success_with_multiple_origins(self):
+        request = testing.DummyRequest()
+        request.scheme = "https"
+        request.host = "example.com"
+        request.host_port = "443"
+        request.headers = {
+            'Origin': 'https://google.com https://not-example.com'
+        }
+        request.registry.settings = {
+            "pyramid.csrf_trusted_origins": ["not-example.com"]
+        }
+        self.assertTrue(self._callFUT(request, raises=False))
 
     def test_fails_when_http_to_https(self):
         from pyramid.exceptions import BadCSRFOrigin
-- 
cgit v1.2.3