mirror of https://github.com/django/django.git
Moved clickjacking decorator tests into decorators/test_clickjacking.py.
This also adds extra assertions.
This commit is contained in:
Ben Lomax
Mariusz Felisiak
parent
a2da81fe08
commit
b43936f2ec
|
|
@ -0,0 +1,50 @@
|
|||
from django.http import HttpRequest, HttpResponse
|
||||
from django.middleware.clickjacking import XFrameOptionsMiddleware
|
||||
from django.test import SimpleTestCase
|
||||
from django.views.decorators.clickjacking import (
|
||||
xframe_options_deny,
|
||||
xframe_options_exempt,
|
||||
xframe_options_sameorigin,
|
||||
)
|
||||
|
||||
|
||||
class XFrameOptionsDenyTests(SimpleTestCase):
|
||||
def test_decorator_sets_x_frame_options_to_deny(self):
|
||||
@xframe_options_deny
|
||||
def a_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
response = a_view(HttpRequest())
|
||||
self.assertEqual(response.headers["X-Frame-Options"], "DENY")
|
||||
|
||||
|
||||
class XFrameOptionsSameoriginTests(SimpleTestCase):
|
||||
def test_decorator_sets_x_frame_options_to_sameorigin(self):
|
||||
@xframe_options_sameorigin
|
||||
def a_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
response = a_view(HttpRequest())
|
||||
self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
|
||||
|
||||
|
||||
class XFrameOptionsExemptTests(SimpleTestCase):
|
||||
def test_decorator_stops_x_frame_options_being_set(self):
|
||||
"""
|
||||
@xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set
|
||||
the header.
|
||||
"""
|
||||
|
||||
@xframe_options_exempt
|
||||
def a_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
request = HttpRequest()
|
||||
response = a_view(request)
|
||||
self.assertIsNone(response.get("X-Frame-Options", None))
|
||||
self.assertIs(response.xframe_options_exempt, True)
|
||||
|
||||
# The real purpose of the exempt decorator is to suppress the
|
||||
# middleware's functionality.
|
||||
middleware_response = XFrameOptionsMiddleware(a_view)(request)
|
||||
self.assertIsNone(middleware_response.get("X-Frame-Options"))
|
||||
|
|
@ -8,17 +8,11 @@ from django.contrib.auth.decorators import (
|
|||
user_passes_test,
|
||||
)
|
||||
from django.http import HttpRequest, HttpResponse, HttpResponseNotAllowed
|
||||
from django.middleware.clickjacking import XFrameOptionsMiddleware
|
||||
from django.test import SimpleTestCase
|
||||
from django.utils.decorators import method_decorator
|
||||
from django.utils.functional import keep_lazy, keep_lazy_text, lazy
|
||||
from django.utils.safestring import mark_safe
|
||||
from django.views.decorators.cache import cache_control, cache_page, never_cache
|
||||
from django.views.decorators.clickjacking import (
|
||||
xframe_options_deny,
|
||||
xframe_options_exempt,
|
||||
xframe_options_sameorigin,
|
||||
)
|
||||
from django.views.decorators.http import (
|
||||
condition,
|
||||
require_GET,
|
||||
|
|
@ -463,54 +457,3 @@ class MethodDecoratorTests(SimpleTestCase):
|
|||
Test().method()
|
||||
self.assertEqual(func_name, "method")
|
||||
self.assertIsNotNone(func_module)
|
||||
|
||||
|
||||
class XFrameOptionsDecoratorsTests(TestCase):
|
||||
"""
|
||||
Tests for the X-Frame-Options decorators.
|
||||
"""
|
||||
|
||||
def test_deny_decorator(self):
|
||||
"""
|
||||
Ensures @xframe_options_deny properly sets the X-Frame-Options header.
|
||||
"""
|
||||
|
||||
@xframe_options_deny
|
||||
def a_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
r = a_view(HttpRequest())
|
||||
self.assertEqual(r.headers["X-Frame-Options"], "DENY")
|
||||
|
||||
def test_sameorigin_decorator(self):
|
||||
"""
|
||||
Ensures @xframe_options_sameorigin properly sets the X-Frame-Options
|
||||
header.
|
||||
"""
|
||||
|
||||
@xframe_options_sameorigin
|
||||
def a_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
r = a_view(HttpRequest())
|
||||
self.assertEqual(r.headers["X-Frame-Options"], "SAMEORIGIN")
|
||||
|
||||
def test_exempt_decorator(self):
|
||||
"""
|
||||
Ensures @xframe_options_exempt properly instructs the
|
||||
XFrameOptionsMiddleware to NOT set the header.
|
||||
"""
|
||||
|
||||
@xframe_options_exempt
|
||||
def a_view(request):
|
||||
return HttpResponse()
|
||||
|
||||
req = HttpRequest()
|
||||
resp = a_view(req)
|
||||
self.assertIsNone(resp.get("X-Frame-Options", None))
|
||||
self.assertTrue(resp.xframe_options_exempt)
|
||||
|
||||
# Since the real purpose of the exempt decorator is to suppress
|
||||
# the middleware's functionality, let's make sure it actually works...
|
||||
r = XFrameOptionsMiddleware(a_view)(req)
|
||||
self.assertIsNone(r.get("X-Frame-Options", None))
|
||||
|
|
|
|||
Loading…
Reference in New Issue