// Copyright 2015 Google Inc. All rights reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cors import ( "net/http" "net/http/httptest" "testing" ) func TestServeHTTPSameOrigin(t *testing.T) { var handlerRun bool h := NewHandler(http.HandlerFunc( func(rw http.ResponseWriter, req *http.Request) { handlerRun = true })) req, err := http.NewRequest("GET", "http://example.com", nil) if err != nil { t.Fatalf("http.NewRequest(): got %v, want no error", err) } rw := httptest.NewRecorder() h.ServeHTTP(rw, req) if !handlerRun { t.Error("handlerRun: got false, want true") } } func TestServeHTTPPreflight(t *testing.T) { var handlerRun bool h := NewHandler(http.HandlerFunc( func(rw http.ResponseWriter, req *http.Request) { handlerRun = true })) h.AllowCredentials(true) req, err := http.NewRequest("OPTIONS", "http://example.com", nil) if err != nil { t.Fatalf("http.NewRequest(): got %v, want no error", err) } req.Header.Set("Origin", "http://google.com") req.Header.Set("Access-Control-Request-Method", "PUT") req.Header.Set("Access-Control-Request-Headers", "Cors-Test") rw := httptest.NewRecorder() h.ServeHTTP(rw, req) if got, want := rw.Header().Get("Access-Control-Allow-Origin"), "*"; got != want { t.Errorf("rw.Header().Get(%q): got %q, want %q", "Access-Control-Allow-Origin", got, want) } if got, want := rw.Header().Get("Access-Control-Allow-Methods"), "PUT"; got != want { t.Errorf("rw.Header().Get(%q): got %q, want %q", "Access-Control-Allow-Methods", got, want) } if got, want := rw.Header().Get("Access-Control-Allow-Headers"), "Cors-Test"; got != want { t.Errorf("rw.Header().Get(%q): got %q, want %q", "Access-Control-Allow-Headers", got, want) } if got, want := rw.Header().Get("Access-Control-Allow-Credentials"), "true"; got != want { t.Errorf("rw.Header().Get(%q): got %q, want %q", "Access-Control-Allow-Credentials", got, want) } if handlerRun { t.Error("handlerRun: got true, want false") } } func TestServeHTTPSimple(t *testing.T) { var handlerRun bool h := NewHandler(http.HandlerFunc( func(rw http.ResponseWriter, req *http.Request) { handlerRun = true })) h.SetOrigin("http://martian.local") req, err := http.NewRequest("GET", "http://example.com", nil) if err != nil { t.Fatalf("http.NewRequest(): got %v, want no error", err) } req.Header.Set("Origin", "http://google.com") req.Header.Set("Access-Control-Request-Method", "GET") req.Header.Set("Access-Control-Request-Headers", "Cors-Test") rw := httptest.NewRecorder() h.ServeHTTP(rw, req) if got, want := rw.Header().Get("Access-Control-Allow-Origin"), "http://martian.local"; got != want { t.Errorf("rw.Header().Get(%q): got %q, want %q", "Access-Control-Allow-Origin", got, want) } if got, want := rw.Header().Get("Access-Control-Allow-Methods"), "GET"; got != want { t.Errorf("rw.Header().Get(%q): got %q, want %q", "Access-Control-Allow-Methods", got, want) } if got, want := rw.Header().Get("Access-Control-Allow-Headers"), "Cors-Test"; got != want { t.Errorf("rw.Header().Get(%q): got %q, want %q", "Access-Control-Allow-Headers", got, want) } if !handlerRun { t.Error("handlerRun: got false, want true") } }