mirror of https://github.com/django/django.git
51 lines
1.7 KiB
Python
51 lines
1.7 KiB
Python
|
from django.http import HttpRequest, HttpResponse
|
||
|
|
from django.middleware.clickjacking import XFrameOptionsMiddleware
|
||
|
|
from django.test import SimpleTestCase
|
||
|
|
from django.views.decorators.clickjacking import (
|
||
|
|
xframe_options_deny,
|
||
|
|
xframe_options_exempt,
|
||
|
|
xframe_options_sameorigin,
|
||
|
|
)
|
||
|
|
|
||
|
|
|
||
|
|
class XFrameOptionsDenyTests(SimpleTestCase):
|
||
|
|
def test_decorator_sets_x_frame_options_to_deny(self):
|
||
|
|
@xframe_options_deny
|
||
|
|
def a_view(request):
|
||
|
|
return HttpResponse()
|
||
|
|
|
||
|
|
response = a_view(HttpRequest())
|
||
|
|
self.assertEqual(response.headers["X-Frame-Options"], "DENY")
|
||
|
|
|
||
|
|
|
||
|
|
class XFrameOptionsSameoriginTests(SimpleTestCase):
|
||
|
|
def test_decorator_sets_x_frame_options_to_sameorigin(self):
|
||
|
|
@xframe_options_sameorigin
|
||
|
|
def a_view(request):
|
||
|
|
return HttpResponse()
|
||
|
|
|
||
|
|
response = a_view(HttpRequest())
|
||
|
|
self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
|
||
|
|
|
||
|
|
|
||
|
|
class XFrameOptionsExemptTests(SimpleTestCase):
|
||
|
|
def test_decorator_stops_x_frame_options_being_set(self):
|
||
|
|
"""
|
||
|
|
@xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set
|
||
|
|
the header.
|
||
|
|
"""
|
||
|
|
|
||
|
|
@xframe_options_exempt
|
||
|
|
def a_view(request):
|
||
|
|
return HttpResponse()
|
||
|
|
|
||
|
|
request = HttpRequest()
|
||
|
|
response = a_view(request)
|
||
|
|
self.assertIsNone(response.get("X-Frame-Options", None))
|
||
|
|
self.assertIs(response.xframe_options_exempt, True)
|
||
|
|
|
||
|
|
# The real purpose of the exempt decorator is to suppress the
|
||
|
|
# middleware's functionality.
|
||
|
|
middleware_response = XFrameOptionsMiddleware(a_view)(request)
|
||
|
|
self.assertIsNone(middleware_response.get("X-Frame-Options"))
|