mirror of
https://github.com/django/django.git
synced 2025-08-03 18:38:50 +00:00
Fixed #31789 -- Added a new headers interface to HttpResponse.
This commit is contained in:
parent
71ae1ab012
commit
bcc2befd0e
47 changed files with 385 additions and 256 deletions
|
@ -17,7 +17,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
response = HttpResponse(*args, **kwargs)
|
||||
if headers:
|
||||
for k, v in headers.items():
|
||||
response[k] = v
|
||||
response.headers[k] = v
|
||||
return response
|
||||
return get_response
|
||||
|
||||
|
@ -47,7 +47,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
"Strict-Transport-Security: max-age=3600" to the response.
|
||||
"""
|
||||
self.assertEqual(
|
||||
self.process_response(secure=True)["Strict-Transport-Security"],
|
||||
self.process_response(secure=True).headers['Strict-Transport-Security'],
|
||||
'max-age=3600',
|
||||
)
|
||||
|
||||
|
@ -60,7 +60,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
response = self.process_response(
|
||||
secure=True,
|
||||
headers={"Strict-Transport-Security": "max-age=7200"})
|
||||
self.assertEqual(response["Strict-Transport-Security"], "max-age=7200")
|
||||
self.assertEqual(response.headers["Strict-Transport-Security"], "max-age=7200")
|
||||
|
||||
@override_settings(SECURE_HSTS_SECONDS=3600)
|
||||
def test_sts_only_if_secure(self):
|
||||
|
@ -68,7 +68,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
The "Strict-Transport-Security" header is not added to responses going
|
||||
over an insecure connection.
|
||||
"""
|
||||
self.assertNotIn("Strict-Transport-Security", self.process_response(secure=False))
|
||||
self.assertNotIn(
|
||||
'Strict-Transport-Security',
|
||||
self.process_response(secure=False).headers,
|
||||
)
|
||||
|
||||
@override_settings(SECURE_HSTS_SECONDS=0)
|
||||
def test_sts_off(self):
|
||||
|
@ -76,7 +79,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
With SECURE_HSTS_SECONDS=0, the middleware does not add a
|
||||
"Strict-Transport-Security" header to the response.
|
||||
"""
|
||||
self.assertNotIn("Strict-Transport-Security", self.process_response(secure=True))
|
||||
self.assertNotIn(
|
||||
'Strict-Transport-Security',
|
||||
self.process_response(secure=True).headers,
|
||||
)
|
||||
|
||||
@override_settings(SECURE_HSTS_SECONDS=600, SECURE_HSTS_INCLUDE_SUBDOMAINS=True)
|
||||
def test_sts_include_subdomains(self):
|
||||
|
@ -86,7 +92,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
"includeSubDomains" directive to the response.
|
||||
"""
|
||||
response = self.process_response(secure=True)
|
||||
self.assertEqual(response["Strict-Transport-Security"], "max-age=600; includeSubDomains")
|
||||
self.assertEqual(
|
||||
response.headers['Strict-Transport-Security'],
|
||||
'max-age=600; includeSubDomains',
|
||||
)
|
||||
|
||||
@override_settings(SECURE_HSTS_SECONDS=600, SECURE_HSTS_INCLUDE_SUBDOMAINS=False)
|
||||
def test_sts_no_include_subdomains(self):
|
||||
|
@ -96,7 +105,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
the "includeSubDomains" directive to the response.
|
||||
"""
|
||||
response = self.process_response(secure=True)
|
||||
self.assertEqual(response["Strict-Transport-Security"], "max-age=600")
|
||||
self.assertEqual(response.headers["Strict-Transport-Security"], "max-age=600")
|
||||
|
||||
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_PRELOAD=True)
|
||||
def test_sts_preload(self):
|
||||
|
@ -106,7 +115,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
directive to the response.
|
||||
"""
|
||||
response = self.process_response(secure=True)
|
||||
self.assertEqual(response["Strict-Transport-Security"], "max-age=10886400; preload")
|
||||
self.assertEqual(
|
||||
response.headers['Strict-Transport-Security'],
|
||||
'max-age=10886400; preload',
|
||||
)
|
||||
|
||||
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_INCLUDE_SUBDOMAINS=True, SECURE_HSTS_PRELOAD=True)
|
||||
def test_sts_subdomains_and_preload(self):
|
||||
|
@ -117,7 +129,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
to the response.
|
||||
"""
|
||||
response = self.process_response(secure=True)
|
||||
self.assertEqual(response["Strict-Transport-Security"], "max-age=10886400; includeSubDomains; preload")
|
||||
self.assertEqual(
|
||||
response.headers['Strict-Transport-Security'],
|
||||
'max-age=10886400; includeSubDomains; preload',
|
||||
)
|
||||
|
||||
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_PRELOAD=False)
|
||||
def test_sts_no_preload(self):
|
||||
|
@ -127,7 +142,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
the "preload" directive to the response.
|
||||
"""
|
||||
response = self.process_response(secure=True)
|
||||
self.assertEqual(response["Strict-Transport-Security"], "max-age=10886400")
|
||||
self.assertEqual(
|
||||
response.headers['Strict-Transport-Security'],
|
||||
'max-age=10886400',
|
||||
)
|
||||
|
||||
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=True)
|
||||
def test_content_type_on(self):
|
||||
|
@ -135,7 +153,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
With SECURE_CONTENT_TYPE_NOSNIFF set to True, the middleware adds
|
||||
"X-Content-Type-Options: nosniff" header to the response.
|
||||
"""
|
||||
self.assertEqual(self.process_response()["X-Content-Type-Options"], "nosniff")
|
||||
self.assertEqual(
|
||||
self.process_response().headers['X-Content-Type-Options'],
|
||||
'nosniff',
|
||||
)
|
||||
|
||||
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=True)
|
||||
def test_content_type_already_present(self):
|
||||
|
@ -144,7 +165,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
already present in the response.
|
||||
"""
|
||||
response = self.process_response(secure=True, headers={"X-Content-Type-Options": "foo"})
|
||||
self.assertEqual(response["X-Content-Type-Options"], "foo")
|
||||
self.assertEqual(response.headers["X-Content-Type-Options"], "foo")
|
||||
|
||||
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=False)
|
||||
def test_content_type_off(self):
|
||||
|
@ -152,7 +173,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
With SECURE_CONTENT_TYPE_NOSNIFF False, the middleware does not add an
|
||||
"X-Content-Type-Options" header to the response.
|
||||
"""
|
||||
self.assertNotIn("X-Content-Type-Options", self.process_response())
|
||||
self.assertNotIn('X-Content-Type-Options', self.process_response().headers)
|
||||
|
||||
@override_settings(SECURE_BROWSER_XSS_FILTER=True)
|
||||
def test_xss_filter_on(self):
|
||||
|
@ -160,7 +181,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
With SECURE_BROWSER_XSS_FILTER set to True, the middleware adds
|
||||
"s-xss-protection: 1; mode=block" header to the response.
|
||||
"""
|
||||
self.assertEqual(self.process_response()["X-XSS-Protection"], "1; mode=block")
|
||||
self.assertEqual(
|
||||
self.process_response().headers['X-XSS-Protection'],
|
||||
'1; mode=block',
|
||||
)
|
||||
|
||||
@override_settings(SECURE_BROWSER_XSS_FILTER=True)
|
||||
def test_xss_filter_already_present(self):
|
||||
|
@ -169,7 +193,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
already present in the response.
|
||||
"""
|
||||
response = self.process_response(secure=True, headers={"X-XSS-Protection": "foo"})
|
||||
self.assertEqual(response["X-XSS-Protection"], "foo")
|
||||
self.assertEqual(response.headers["X-XSS-Protection"], "foo")
|
||||
|
||||
@override_settings(SECURE_BROWSER_XSS_FILTER=False)
|
||||
def test_xss_filter_off(self):
|
||||
|
@ -177,7 +201,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
With SECURE_BROWSER_XSS_FILTER set to False, the middleware does not
|
||||
add an "X-XSS-Protection" header to the response.
|
||||
"""
|
||||
self.assertNotIn("X-XSS-Protection", self.process_response())
|
||||
self.assertNotIn('X-XSS-Protection', self.process_response().headers)
|
||||
|
||||
@override_settings(SECURE_SSL_REDIRECT=True)
|
||||
def test_ssl_redirect_on(self):
|
||||
|
@ -229,7 +253,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
With SECURE_REFERRER_POLICY set to None, the middleware does not add a
|
||||
"Referrer-Policy" header to the response.
|
||||
"""
|
||||
self.assertNotIn('Referrer-Policy', self.process_response())
|
||||
self.assertNotIn('Referrer-Policy', self.process_response().headers)
|
||||
|
||||
def test_referrer_policy_on(self):
|
||||
"""
|
||||
|
@ -245,7 +269,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
)
|
||||
for value, expected in tests:
|
||||
with self.subTest(value=value), override_settings(SECURE_REFERRER_POLICY=value):
|
||||
self.assertEqual(self.process_response()['Referrer-Policy'], expected)
|
||||
self.assertEqual(
|
||||
self.process_response().headers['Referrer-Policy'],
|
||||
expected,
|
||||
)
|
||||
|
||||
@override_settings(SECURE_REFERRER_POLICY='strict-origin')
|
||||
def test_referrer_policy_already_present(self):
|
||||
|
@ -254,4 +281,4 @@ class SecurityMiddlewareTest(SimpleTestCase):
|
|||
present in the response.
|
||||
"""
|
||||
response = self.process_response(headers={'Referrer-Policy': 'unsafe-url'})
|
||||
self.assertEqual(response['Referrer-Policy'], 'unsafe-url')
|
||||
self.assertEqual(response.headers['Referrer-Policy'], 'unsafe-url')
|
||||
|
|
|
@ -292,7 +292,7 @@ class CommonMiddlewareTest(SimpleTestCase):
|
|||
return response
|
||||
|
||||
response = CommonMiddleware(get_response)(self.rf.get('/'))
|
||||
self.assertEqual(int(response['Content-Length']), len(response.content))
|
||||
self.assertEqual(int(response.headers['Content-Length']), len(response.content))
|
||||
|
||||
def test_content_length_header_not_added_for_streaming_response(self):
|
||||
def get_response(req):
|
||||
|
@ -308,11 +308,11 @@ class CommonMiddlewareTest(SimpleTestCase):
|
|||
|
||||
def get_response(req):
|
||||
response = HttpResponse()
|
||||
response['Content-Length'] = bad_content_length
|
||||
response.headers['Content-Length'] = bad_content_length
|
||||
return response
|
||||
|
||||
response = CommonMiddleware(get_response)(self.rf.get('/'))
|
||||
self.assertEqual(int(response['Content-Length']), bad_content_length)
|
||||
self.assertEqual(int(response.headers['Content-Length']), bad_content_length)
|
||||
|
||||
# Other tests
|
||||
|
||||
|
@ -607,7 +607,7 @@ class ConditionalGetMiddlewareTest(SimpleTestCase):
|
|||
self.assertEqual(new_response.status_code, 304)
|
||||
base_response = get_response(self.req)
|
||||
for header in ('Cache-Control', 'Content-Location', 'Date', 'ETag', 'Expires', 'Last-Modified', 'Vary'):
|
||||
self.assertEqual(new_response[header], base_response[header])
|
||||
self.assertEqual(new_response.headers[header], base_response.headers[header])
|
||||
self.assertEqual(new_response.cookies, base_response.cookies)
|
||||
self.assertNotIn('Content-Language', new_response)
|
||||
|
||||
|
@ -622,7 +622,7 @@ class ConditionalGetMiddlewareTest(SimpleTestCase):
|
|||
return HttpResponse(status=200)
|
||||
|
||||
response = ConditionalGetMiddleware(self.get_response)(self.req)
|
||||
etag = response['ETag']
|
||||
etag = response.headers['ETag']
|
||||
put_request = self.request_factory.put('/', HTTP_IF_MATCH=etag)
|
||||
conditional_get_response = ConditionalGetMiddleware(get_200_response)(put_request)
|
||||
self.assertEqual(conditional_get_response.status_code, 200) # should never be a 412
|
||||
|
@ -653,11 +653,11 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
|
|||
"""
|
||||
with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
|
||||
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
|
||||
|
||||
with override_settings(X_FRAME_OPTIONS='sameorigin'):
|
||||
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
|
||||
|
||||
def test_deny(self):
|
||||
"""
|
||||
|
@ -666,11 +666,11 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
|
|||
"""
|
||||
with override_settings(X_FRAME_OPTIONS='DENY'):
|
||||
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'DENY')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
|
||||
|
||||
with override_settings(X_FRAME_OPTIONS='deny'):
|
||||
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'DENY')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
|
||||
|
||||
def test_defaults_sameorigin(self):
|
||||
"""
|
||||
|
@ -680,7 +680,7 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
|
|||
with override_settings(X_FRAME_OPTIONS=None):
|
||||
del settings.X_FRAME_OPTIONS # restored by override_settings
|
||||
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'DENY')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
|
||||
|
||||
def test_dont_set_if_set(self):
|
||||
"""
|
||||
|
@ -689,21 +689,21 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
|
|||
"""
|
||||
def same_origin_response(request):
|
||||
response = HttpResponse()
|
||||
response['X-Frame-Options'] = 'SAMEORIGIN'
|
||||
response.headers['X-Frame-Options'] = 'SAMEORIGIN'
|
||||
return response
|
||||
|
||||
def deny_response(request):
|
||||
response = HttpResponse()
|
||||
response['X-Frame-Options'] = 'DENY'
|
||||
response.headers['X-Frame-Options'] = 'DENY'
|
||||
return response
|
||||
|
||||
with override_settings(X_FRAME_OPTIONS='DENY'):
|
||||
r = XFrameOptionsMiddleware(same_origin_response)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
|
||||
|
||||
with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
|
||||
r = XFrameOptionsMiddleware(deny_response)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'DENY')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
|
||||
|
||||
def test_response_exempt(self):
|
||||
"""
|
||||
|
@ -722,10 +722,10 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
|
|||
|
||||
with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
|
||||
r = XFrameOptionsMiddleware(xframe_not_exempt_response)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
|
||||
|
||||
r = XFrameOptionsMiddleware(xframe_exempt_response)(HttpRequest())
|
||||
self.assertIsNone(r.get('X-Frame-Options'))
|
||||
self.assertIsNone(r.headers.get('X-Frame-Options'))
|
||||
|
||||
def test_is_extendable(self):
|
||||
"""
|
||||
|
@ -749,16 +749,16 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
|
|||
|
||||
with override_settings(X_FRAME_OPTIONS='DENY'):
|
||||
r = OtherXFrameOptionsMiddleware(same_origin_response)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
|
||||
|
||||
request = HttpRequest()
|
||||
request.sameorigin = True
|
||||
r = OtherXFrameOptionsMiddleware(get_response_empty)(request)
|
||||
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
|
||||
|
||||
with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
|
||||
r = OtherXFrameOptionsMiddleware(get_response_empty)(HttpRequest())
|
||||
self.assertEqual(r['X-Frame-Options'], 'DENY')
|
||||
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
|
||||
|
||||
|
||||
class GZipMiddlewareTest(SimpleTestCase):
|
||||
|
@ -916,12 +916,12 @@ class ETagGZipMiddlewareTest(SimpleTestCase):
|
|||
"""
|
||||
def get_response(req):
|
||||
response = HttpResponse(self.compressible_string)
|
||||
response['ETag'] = '"eggs"'
|
||||
response.headers['ETag'] = '"eggs"'
|
||||
return response
|
||||
|
||||
request = self.rf.get('/', HTTP_ACCEPT_ENCODING='gzip, deflate')
|
||||
gzip_response = GZipMiddleware(get_response)(request)
|
||||
self.assertEqual(gzip_response['ETag'], 'W/"eggs"')
|
||||
self.assertEqual(gzip_response.headers['ETag'], 'W/"eggs"')
|
||||
|
||||
def test_weak_etag_not_modified(self):
|
||||
"""
|
||||
|
@ -929,12 +929,12 @@ class ETagGZipMiddlewareTest(SimpleTestCase):
|
|||
"""
|
||||
def get_response(req):
|
||||
response = HttpResponse(self.compressible_string)
|
||||
response['ETag'] = 'W/"eggs"'
|
||||
response.headers['ETag'] = 'W/"eggs"'
|
||||
return response
|
||||
|
||||
request = self.rf.get('/', HTTP_ACCEPT_ENCODING='gzip, deflate')
|
||||
gzip_response = GZipMiddleware(get_response)(request)
|
||||
self.assertEqual(gzip_response['ETag'], 'W/"eggs"')
|
||||
self.assertEqual(gzip_response.headers['ETag'], 'W/"eggs"')
|
||||
|
||||
def test_etag_match(self):
|
||||
"""
|
||||
|
@ -949,7 +949,7 @@ class ETagGZipMiddlewareTest(SimpleTestCase):
|
|||
|
||||
request = self.rf.get('/', HTTP_ACCEPT_ENCODING='gzip, deflate')
|
||||
response = GZipMiddleware(get_cond_response)(request)
|
||||
gzip_etag = response['ETag']
|
||||
gzip_etag = response.headers['ETag']
|
||||
next_request = self.rf.get('/', HTTP_ACCEPT_ENCODING='gzip, deflate', HTTP_IF_NONE_MATCH=gzip_etag)
|
||||
next_response = ConditionalGetMiddleware(get_response)(next_request)
|
||||
self.assertEqual(next_response.status_code, 304)
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue