2014-05-08 12:16:17 +10:00
//
// Based on the spec at http://www.w3.org/TR/cors/
2014-05-08 23:07:57 +10:00
// The test numbers correspond to steps in the specification
2014-05-08 12:16:17 +10:00
//
2017-05-22 09:03:45 -07:00
/* eslint-env mocha */
2014-05-08 12:16:17 +10:00
2017-05-22 09:03:45 -07:00
var request = require ( 'supertest' )
var should = require ( 'should' )
var test = require ( './test' )
2014-05-08 12:16:17 +10:00
2017-05-22 09:03:45 -07:00
describe ( 'CORS: simple / actual requests' , function ( ) {
it ( '6.1.1 Does not set headers if Origin is missing' , function ( done ) {
var server = test . corsServer ( {
origins : [ 'http://api.myapp.com' , 'http://www.myapp.com' ]
} )
request ( server )
2014-05-08 12:16:17 +10:00
. get ( '/test' )
. expect ( test . noHeader ( 'access-control-allow-origin' ) )
. expect ( 200 )
2017-05-22 09:03:45 -07:00
. end ( done )
} )
2014-05-08 12:16:17 +10:00
2017-05-22 09:03:45 -07:00
it ( '6.1.2 Does not set headers if Origin does not match' , function ( done ) {
var server = test . corsServer ( {
origins : [ 'http://api.myapp.com' , 'http://www.myapp.com' ]
} )
request ( server )
2014-05-08 12:16:17 +10:00
. get ( '/test' )
. set ( 'Origin' , 'http://random-website.com' )
. expect ( test . noHeader ( 'access-control-allow-origin' ) )
. expect ( 200 )
2017-05-22 09:03:45 -07:00
. end ( done )
} )
2014-05-08 12:16:17 +10:00
2017-05-22 09:03:45 -07:00
it ( '6.1.3 Sets Allow-Origin headers if the Origin matches' , function ( done ) {
var server = test . corsServer ( {
origins : [ 'http://api.myapp.com' , 'http://www.myapp.com' ]
} )
request ( server )
2014-05-08 12:16:17 +10:00
. get ( '/test' )
. set ( 'Origin' , 'http://api.myapp.com' )
. expect ( 'access-control-allow-origin' , 'http://api.myapp.com' )
. expect ( 200 )
2017-05-22 09:03:45 -07:00
. end ( done )
} )
2015-05-08 16:04:52 -05:00
2017-05-22 09:03:45 -07:00
it ( '6.1.3 Does not set Access-Control-Allow-Credentials header if Origin is *' , function ( done ) {
should . throws ( function ( ) {
test . corsServer ( {
origins : [ '*' ] ,
2015-05-08 16:04:52 -05:00
credentials : true
2017-05-22 09:03:45 -07:00
} )
} )
done ( )
} )
it ( '6.1.3 Sets Access-Control-Allow-Credentials header if configured' , function ( done ) {
var server = test . corsServer ( {
origins : [ 'http://api.myapp.com' ] ,
credentials : true
} )
request ( server )
2015-05-08 16:04:52 -05:00
. get ( '/test' )
. set ( 'Origin' , 'http://api.myapp.com' )
. expect ( 'access-control-allow-credentials' , 'true' )
. expect ( 200 )
2017-05-22 09:03:45 -07:00
. end ( done )
} )
2015-05-08 16:04:52 -05:00
2017-05-22 09:03:45 -07:00
it ( '6.1.4 Does not set exposed headers if empty' , function ( done ) {
var server = test . corsServer ( {
origins : [ 'http://api.myapp.com' , 'http://www.myapp.com' ]
} )
request ( server )
2014-05-08 12:16:17 +10:00
. get ( '/test' )
. set ( 'Origin' , 'http://api.myapp.com' )
. expect ( 'access-control-allow-origin' , 'http://api.myapp.com' )
. expect ( 'access-control-expose-headers' , /api-version/ ) // defaults
. expect ( 200 )
2017-05-22 09:03:45 -07:00
. end ( done )
} )
2014-05-08 12:16:17 +10:00
2017-05-22 09:03:45 -07:00
it ( '6.1.4 Sets exposed headers if configured' , function ( done ) {
var server = test . corsServer ( {
origins : [ 'http://api.myapp.com' , 'http://www.myapp.com' ] ,
exposeHeaders : [ 'HeaderA' , 'HeaderB' ]
} )
request ( server )
2014-05-08 12:16:17 +10:00
. get ( '/test' )
. set ( 'Origin' , 'http://api.myapp.com' )
. expect ( 'access-control-allow-origin' , 'http://api.myapp.com' )
. expect ( 'access-control-expose-headers' , /HeaderA, HeaderB/ ) // custom
. expect ( 'access-control-expose-headers' , /api-version/ ) // defaults
. expect ( 200 )
2017-05-22 09:03:45 -07:00
. end ( done )
} )
2017-10-31 16:13:51 -04:00
it ( 'Does not throw if "origins" option left undefined' , function ( ) {
should . doesNotThrow ( function createServer ( ) {
test . corsServer ( { } )
} )
} )
2017-05-22 09:03:45 -07:00
} )