Moved clickjacking decorator tests into decorators/test_clickjacking.py.

This also adds extra assertions.
2025-10-27 15:46:10 +00:00 · 2023-04-26 06:48:33 +01:00
parent a2da81fe08
commit b43936f2ec
2 changed files with 50 additions and 57 deletions
--- a/tests/decorators/test_clickjacking.py
+++ b/tests/decorators/test_clickjacking.py
@@ -0,0 +1,50 @@
+from django.http import HttpRequest, HttpResponse
+from django.middleware.clickjacking import XFrameOptionsMiddleware
+from django.test import SimpleTestCase
+from django.views.decorators.clickjacking import (
+    xframe_options_deny,
+    xframe_options_exempt,
+    xframe_options_sameorigin,
+)
+
+
+class XFrameOptionsDenyTests(SimpleTestCase):
+    def test_decorator_sets_x_frame_options_to_deny(self):
+        @xframe_options_deny
+        def a_view(request):
+            return HttpResponse()
+
+        response = a_view(HttpRequest())
+        self.assertEqual(response.headers["X-Frame-Options"], "DENY")
+
+
+class XFrameOptionsSameoriginTests(SimpleTestCase):
+    def test_decorator_sets_x_frame_options_to_sameorigin(self):
+        @xframe_options_sameorigin
+        def a_view(request):
+            return HttpResponse()
+
+        response = a_view(HttpRequest())
+        self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
+
+
+class XFrameOptionsExemptTests(SimpleTestCase):
+    def test_decorator_stops_x_frame_options_being_set(self):
+        """
+        @xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set
+        the header.
+        """
+
+        @xframe_options_exempt
+        def a_view(request):
+            return HttpResponse()
+
+        request = HttpRequest()
+        response = a_view(request)
+        self.assertIsNone(response.get("X-Frame-Options", None))
+        self.assertIs(response.xframe_options_exempt, True)
+
+        # The real purpose of the exempt decorator is to suppress the
+        # middleware's functionality.
+        middleware_response = XFrameOptionsMiddleware(a_view)(request)
+        self.assertIsNone(middleware_response.get("X-Frame-Options"))