From 57173e5dd4bd5fcc65b42aff9216124a74078730 Mon Sep 17 00:00:00 2001 From: hidraco Date: Sun, 13 Jun 2021 23:59:17 +0800 Subject: [PATCH] Deduplicate failure text in CORS preflight response (#1199) Co-authored-by: Jamie Hewland --- starlette/middleware/cors.py | 1 + tests/middleware/test_cors.py | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py index 0b3f505..c850579 100644 --- a/starlette/middleware/cors.py +++ b/starlette/middleware/cors.py @@ -129,6 +129,7 @@ def preflight_response(self, request_headers: Headers) -> Response: for header in [h.lower() for h in requested_headers.split(",")]: if header.strip() not in self.allow_headers: failures.append("headers") + break # We don't strictly need to use 400 responses here, since its up to # the browser to enforce the CORS policy, but its more informative diff --git a/tests/middleware/test_cors.py b/tests/middleware/test_cors.py index 7a250a2..266ebca 100644 --- a/tests/middleware/test_cors.py +++ b/tests/middleware/test_cors.py @@ -179,6 +179,16 @@ def homepage(request): assert response.text == "Disallowed CORS origin, method, headers" assert "access-control-allow-origin" not in response.headers + # Bug specific test, https://github.com/encode/starlette/pull/1199 + # Test preflight response text with multiple disallowed headers + headers = { + "Origin": "https://example.org", + "Access-Control-Request-Method": "GET", + "Access-Control-Request-Headers": "X-Nope-1, X-Nope-2", + } + response = client.options("/", headers=headers) + assert response.text == "Disallowed CORS headers" + def test_preflight_allows_request_origin_if_origins_wildcard_and_credentials_allowed(): app = Starlette()