Add HEAD to CORS ALL_METHODS list (#1112)

* Add HEAD to CORS ALL_METHODS list The HEAD method is conspicuously absent from the allowed methods list when `allow_methods="*"` is used. This doesn't really affect CORS preflight requests, as HEAD requests aren't preflighted by the browser, but it does prevent the actual cross-origin HEAD response from being read by the calling app. [This can catch people off-guard.](https://discuss.encode.io/t/for-cors-middleware-why-is-head-not-included-in-all-methods/939) This simply adds HEAD to the `ALL_METHODS` list in the CORS middleware module and includes some additional tests to validate the new behavior. * Update tests/middleware/test_cors.py to use more explicit status code check Co-authored-by: euri10 <euri10@users.noreply.github.com> Co-authored-by: euri10 <euri10@users.noreply.github.com> Co-authored-by: Jamie Hewland <jhewland@gmail.com>
encode · Apr 6, 2021 · f5ecb53 · f5ecb53
1 parent 6022126
commit f5ecb53
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 1 deletion.
diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py
@@ -6,7 +6,7 @@
 from starlette.responses import PlainTextResponse, Response
 from starlette.types import ASGIApp, Message, Receive, Scope, Send
 
-ALL_METHODS = ("DELETE", "GET", "OPTIONS", "PATCH", "POST", "PUT")
+ALL_METHODS = ("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT")
 SAFELISTED_HEADERS = {"Accept", "Accept-Language", "Content-Language", "Content-Type"}
 
 

diff --git a/tests/middleware/test_cors.py b/tests/middleware/test_cors.py
@@ -118,6 +118,56 @@ def homepage(request):
     assert response.text == "Disallowed CORS origin, method, headers"
 
 
+def test_cors_preflight_allow_all_methods():
+    app = Starlette()
+
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=["*"],
+        allow_methods=["*"],
+    )
+
+    @app.route("/")
+    def homepage(request):
+        pass  # pragma: no cover
+
+    client = TestClient(app)
+
+    headers = {
+        "Origin": "https://example.org",
+        "Access-Control-Request-Method": "POST",
+    }
+
+    for method in ("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"):
+        response = client.options("/", headers=headers)
+        assert response.status_code == 200
+        assert method in response.headers["access-control-allow-methods"]
+
+
+def test_cors_allow_all_methods():
+    app = Starlette()
+
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=["*"],
+        allow_methods=["*"],
+    )
+
+    @app.route(
+        "/", methods=("delete", "get", "head", "options", "patch", "post", "put")
+    )
+    def homepage(request):
+        return PlainTextResponse("Homepage", status_code=200)
+
+    client = TestClient(app)
+
+    headers = {"Origin": "https://example.org"}
+
+    for method in ("delete", "get", "head", "options", "patch", "post", "put"):
+        response = getattr(client, method)("/", headers=headers, json={})
+        assert response.status_code == 200
+
+
 def test_cors_allow_origin_regex():
     app = Starlette()