20
20
# CORS is allowed for https only
21
21
CLIENT_URI = "https://example.org"
22
22
23
+ CLIENT_URI_HTTP = "http://example.org"
24
+
23
25
24
26
@pytest .mark .usefixtures ("oauth2_settings" )
25
27
@pytest .mark .oauth2_settings (presets .DEFAULT_SCOPES_RW )
@@ -39,7 +41,7 @@ def setUp(self):
39
41
40
42
self .application = Application .objects .create (
41
43
name = "Test Application" ,
42
- redirect_uris = ( CLIENT_URI ) ,
44
+ redirect_uris = CLIENT_URI ,
43
45
user = self .dev_user ,
44
46
client_type = Application .CLIENT_CONFIDENTIAL ,
45
47
authorization_grant_type = Application .GRANT_AUTHORIZATION_CODE ,
@@ -85,6 +87,26 @@ def test_cors_header(self):
85
87
self .assertEqual (response .status_code , 200 )
86
88
self .assertEqual (response ["Access-Control-Allow-Origin" ], CLIENT_URI )
87
89
90
+ def test_cors_header_no_https (self ):
91
+ """
92
+ Test that CORS is not allowed if origin uri does not have https:// schema
93
+ """
94
+ authorization_code = self ._get_authorization_code ()
95
+
96
+ # exchange authorization code for a valid access token
97
+ token_request_data = {
98
+ "grant_type" : "authorization_code" ,
99
+ "code" : authorization_code ,
100
+ "redirect_uri" : CLIENT_URI ,
101
+ }
102
+
103
+ auth_headers = get_basic_auth_header (self .application .client_id , CLEARTEXT_SECRET )
104
+ auth_headers ["HTTP_ORIGIN" ] = CLIENT_URI_HTTP
105
+ response = self .client .post (reverse ("oauth2_provider:token" ), data = token_request_data , ** auth_headers )
106
+
107
+ self .assertEqual (response .status_code , 200 )
108
+ self .assertFalse (response .has_header ("Access-Control-Allow-Origin" ))
109
+
88
110
def test_no_cors_header_origin_not_allowed (self ):
89
111
"""
90
112
Test that /token endpoint does not have Access-Control-Allow-Origin
0 commit comments