Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure allow credentials header is not emitted for disallowed origins #888

Merged
merged 2 commits into from
Oct 11, 2023
Merged

Ensure allow credentials header is not emitted for disallowed origins #888

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
141ac66
Ensure allow credentials header is not emitted for disallowed origins
romanek-adam Aug 24, 2023
0e57b82
Edits
adamchainz Oct 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
Changelog
=========

* Avoid adding the ``access-control-allow-credentials`` header to unallowed responses.

Thanks to Adam Romanek in `PR #888 <https://github.com/adamchainz/django-cors-headers/pull/888>`__.

* Support Django 5.0.

4.2.0 (2023-07-10)
Expand Down
6 changes: 3 additions & 3 deletions src/corsheaders/middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,9 +105,6 @@ def add_response_headers(
except ValueError:
return response

if conf.CORS_ALLOW_CREDENTIALS:
response[ACCESS_CONTROL_ALLOW_CREDENTIALS] = "true"

if (
not conf.CORS_ALLOW_ALL_ORIGINS
and not self.origin_found_in_white_lists(origin, url)
Expand All @@ -120,6 +117,9 @@ def add_response_headers(
else:
response[ACCESS_CONTROL_ALLOW_ORIGIN] = origin

if conf.CORS_ALLOW_CREDENTIALS:
response[ACCESS_CONTROL_ALLOW_CREDENTIALS] = "true"

if len(conf.CORS_EXPOSE_HEADERS):
response[ACCESS_CONTROL_EXPOSE_HEADERS] = ", ".join(
conf.CORS_EXPOSE_HEADERS
Expand Down
15 changes: 12 additions & 3 deletions tests/test_middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,13 +85,22 @@ def test_get_dont_expose_headers(self):
resp = self.client.get("/", HTTP_ORIGIN="https://example.com")
assert ACCESS_CONTROL_EXPOSE_HEADERS not in resp

@override_settings(CORS_ALLOW_CREDENTIALS=True, CORS_ALLOW_ALL_ORIGINS=True)
@override_settings(
CORS_ALLOWED_ORIGINS=["https://example.com"], CORS_ALLOW_CREDENTIALS=True
)
def test_get_allow_credentials(self):
resp = self.client.get("/", HTTP_ORIGIN="https://example.com")
assert resp[ACCESS_CONTROL_ALLOW_CREDENTIALS] == "true"

@override_settings(CORS_ALLOW_ALL_ORIGINS=True)
def test_get_dont_allow_credentials(self):
@override_settings(
CORS_ALLOWED_ORIGINS=["https://example.com"], CORS_ALLOW_CREDENTIALS=True
)
def test_get_allow_credentials_bad_origin(self):
resp = self.client.get("/", HTTP_ORIGIN="https://example.org")
assert ACCESS_CONTROL_ALLOW_CREDENTIALS not in resp

@override_settings(CORS_ALLOWED_ORIGINS=["https://example.com"])
def test_get_allow_credentials_disabled(self):
resp = self.client.get("/", HTTP_ORIGIN="https://example.com")
assert ACCESS_CONTROL_ALLOW_CREDENTIALS not in resp

Expand Down