/
http_origin_spec.rb
46 lines (40 loc) · 1.42 KB
/
http_origin_spec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
describe Rack::Protection::HttpOrigin do
it_behaves_like "any rack application"
before(:each) do
mock_app do
use Rack::Protection::HttpOrigin
run DummyApp
end
end
%w(GET HEAD POST PUT DELETE).each do |method|
it "accepts #{method} requests with no Origin" do
expect(send(method.downcase, '/')).to be_ok
end
end
%w(GET HEAD).each do |method|
it "accepts #{method} requests with non-permitted Origin" do
expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com')).to be_ok
end
end
%w(GET HEAD POST PUT DELETE).each do |method|
it "accepts #{method} requests when allow_if is true" do
mock_app do
use Rack::Protection::HttpOrigin, :allow_if => lambda{|env| env.has_key?('HTTP_ORIGIN') }
run DummyApp
end
expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://any.domain.com')).to be_ok
end
end
%w(POST PUT DELETE).each do |method|
it "denies #{method} requests with non-permitted Origin" do
expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com')).not_to be_ok
end
it "accepts #{method} requests with whitelisted Origin" do
mock_app do
use Rack::Protection::HttpOrigin, :permitted_origins => ['http://www.friend.com']
run DummyApp
end
expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com')).to be_ok
end
end
end