valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-06 16:45:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #27248 from tinyclues/better_cors_headers

Browse Source 
[Saltnado] - The CORS implementation was a bit naive about headers allowance.
This commit is contained in:
Mike Place 2015-09-23 08:50:06 -06:00
commit 23fcc9e348
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
salt/netapi/rest_tornado/saltnado.py
View File

@ -592,7 +592,13 @@ class BaseSaltAPIHandler(tornado.web.RequestHandler, SaltClientsMixIn): # pylin
Return CORS headers for preflight requests
'''
# Allow X-Auth-Token in requests
self.set_header('Access-Control-Allow-Headers', 'X-Auth-Token')
request_headers = self.request.headers.get('Access-Control-Request-Headers')
allowed_headers = request_headers.split(',')
# Filter allowed header here if needed.
# Allow request headers
self.set_header('Access-Control-Allow-Headers', ','.join(allowed_headers))
# Allow X-Auth-Token in responses
self.set_header('Access-Control-Expose-Headers', 'X-Auth-Token')

9
tests/unit/netapi/rest_tornado/test_handlers.py
View File

@ -314,10 +314,15 @@ class TestBaseSaltAPIHandler(SaltnadoTestCase):
'''
self._app.mod_opts['cors_origin'] = '*'
response = self.fetch('/', method='OPTIONS')
request_headers = 'X-Auth-Token, accept, content-type'
preflight_headers = {'Access-Control-Request-Headers': request_headers,
'Access-Control-Request-Method': 'GET'}
response = self.fetch('/', method='OPTIONS', headers=preflight_headers)
headers = response.headers
self.assertEqual(headers['Access-Control-Allow-Headers'], 'X-Auth-Token')
self.assertEqual(response.code, 204)
self.assertEqual(headers['Access-Control-Allow-Headers'], request_headers)
self.assertEqual(headers['Access-Control-Expose-Headers'], 'X-Auth-Token')
self.assertEqual(headers['Access-Control-Allow-Methods'], 'OPTIONS, GET, POST')