Send CORS headers when doing JSON responses too (#1765)
This commit is contained in:
parent
e281ad7cc3
commit
c94e2534a9
|
@ -1061,6 +1061,18 @@ sub corsPreflight {
|
|||
return [ 204, \@headers, [] ];
|
||||
}
|
||||
|
||||
sub sendJSONresponse {
|
||||
my ( $self, $req, $j, %args ) = @_;
|
||||
my $res = Lemonldap::NG::Common::PSGI::sendJSONresponse(@_);
|
||||
if ( $self->conf->{corsEnabled} ) {
|
||||
my @cors = split /;/, $self->cors;
|
||||
push @{ $res->[1] }, @cors;
|
||||
$self->logger->debug('Apply following CORS policy :');
|
||||
$self->logger->debug(" $_") for @cors;
|
||||
}
|
||||
return $res;
|
||||
}
|
||||
|
||||
# Temlate loader
|
||||
sub loadTemplate {
|
||||
my ( $self, $req, $name, %prm ) = @_;
|
||||
|
|
|
@ -24,6 +24,10 @@ ok( $res = $client->_get('/'), 'Unauth JSON request' );
|
|||
count(1);
|
||||
expectReject($res);
|
||||
|
||||
ok( $res = $client->_get('/ping'), 'Unauth JSON request' );
|
||||
count(1);
|
||||
checkCorsPolicy($res);
|
||||
|
||||
# Test "first access" with good url
|
||||
ok(
|
||||
$res =
|
||||
|
@ -33,57 +37,23 @@ ok(
|
|||
count(1);
|
||||
expectReject($res);
|
||||
|
||||
# Test CORS "Preflight"
|
||||
ok( $res = $client->_options( '/', accept => 'text/html' ), 'Get Menu' );
|
||||
my %policy = @{ $res->[1] };
|
||||
count(1);
|
||||
|
||||
# CORS
|
||||
ok( $policy{'Access-Control-Allow-Origin'} eq '', "CORS origin '' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Credentials'} eq 'true',
|
||||
"CORS credentials 'true' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Headers'} eq '*', "CORS headers '*' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Methods'} eq 'POST',
|
||||
"CORS methods 'POST' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Expose-Headers'} eq '*',
|
||||
"CORS expose-headers '*' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Max-Age'} eq '86400', "CORS max-age '86400' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
count(6);
|
||||
checkCorsPolicy($res);
|
||||
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu' );
|
||||
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
||||
%policy = @{ $res->[1] };
|
||||
checkCorsPolicy($res);
|
||||
|
||||
# CORS
|
||||
ok( $policy{'Access-Control-Allow-Origin'} eq '', "CORS origin '' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Credentials'} eq 'true',
|
||||
"CORS credentials 'true' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Headers'} eq '*', "CORS headers '*' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Methods'} eq 'POST',
|
||||
"CORS methods 'POST' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Expose-Headers'} eq '*',
|
||||
"CORS expose-headers '*' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Max-Age'} eq '86400', "CORS max-age '86400' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
count(6);
|
||||
my %headers = @{ $res->[1] };
|
||||
|
||||
#CSP
|
||||
ok(
|
||||
$policy{'Content-Security-Policy'} =~
|
||||
$headers{'Content-Security-Policy'} =~
|
||||
/default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action \*;frame-ancestors 'none'/,
|
||||
'CSP header value found'
|
||||
) or print STDERR Dumper( $res->[1] );
|
||||
|
@ -128,36 +98,44 @@ ok(
|
|||
);
|
||||
count(1);
|
||||
|
||||
%policy = @{ $res->[1] };
|
||||
%headers = @{ $res->[1] };
|
||||
|
||||
# Lm-Remote headers
|
||||
ok( $policy{'Lm-Remote-User'} eq 'dwho', "Lm-Remote-User found" )
|
||||
ok( $headers{'Lm-Remote-User'} eq 'dwho', "Lm-Remote-User found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Lm-Remote-Custom'} eq 'dwho@badwolf.org',
|
||||
ok( $headers{'Lm-Remote-Custom'} eq 'dwho@badwolf.org',
|
||||
"Lm-Remote-Custom found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
count(2);
|
||||
|
||||
# CORS
|
||||
ok( $policy{'Access-Control-Allow-Origin'} eq '', "CORS origin '' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Credentials'} eq 'true',
|
||||
"CORS credentials 'true' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Headers'} eq '*', "CORS headers '*' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Allow-Methods'} eq 'POST',
|
||||
"CORS methods 'POST' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Expose-Headers'} eq '*',
|
||||
"CORS expose-headers '*' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $policy{'Access-Control-Max-Age'} eq '86400', "CORS max-age '86400' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
count(6);
|
||||
checkCorsPolicy($res);
|
||||
|
||||
$client->logout($id);
|
||||
|
||||
clean_sessions();
|
||||
|
||||
done_testing( count() );
|
||||
|
||||
sub checkCorsPolicy {
|
||||
my ($res) = @_;
|
||||
my %headers = @{ $res->[1] };
|
||||
|
||||
ok( $headers{'Access-Control-Allow-Origin'} eq '', "CORS origin '' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $headers{'Access-Control-Allow-Credentials'} eq 'true',
|
||||
"CORS credentials 'true' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $headers{'Access-Control-Allow-Headers'} eq '*',
|
||||
"CORS headers '*' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $headers{'Access-Control-Allow-Methods'} eq 'POST',
|
||||
"CORS methods 'POST' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $headers{'Access-Control-Expose-Headers'} eq '*',
|
||||
"CORS expose-headers '*' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $headers{'Access-Control-Max-Age'} eq '86400',
|
||||
"CORS max-age '86400' found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
count(6);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user