return first item of [general] -> host if origin is hidden

A minor regression introduced by the latest refactorings. A functional test is now included. Only affects Firefox users that use non-SSL and supress their HTTP Referer completely
2014-03-29 12:58:08 +01:00 · 2014-03-29 12:58:08 +01:00 · 765a91fefb
commit 765a91fefb
parent 87179fe8fa
3 changed files with 11 additions and 8 deletions
--- a/isso/tests/test_cors.py
+++ b/isso/tests/test_cors.py
@ -25,13 +25,12 @@ class CORSTest(unittest.TestCase):
            origin=origin([
                "https://example.tld/",
                "http://example.tld/",
-                "http://example.tld",
            ]),
            allowed=("Foo", "Bar"), exposed=("Spam", ))

        client = Client(app, Response)

-        rv = client.get("/", headers={"ORIGIN": "https://example.tld"})
+        rv = client.get("/", headers={"Origin": "https://example.tld"})

        self.assertEqual(rv.headers["Access-Control-Allow-Origin"], "https://example.tld")
        self.assertEqual(rv.headers["Access-Control-Allow-Credentials"], "true")
@ -39,13 +38,13 @@ class CORSTest(unittest.TestCase):
        self.assertEqual(rv.headers["Access-Control-Allow-Headers"], "Foo, Bar")
        self.assertEqual(rv.headers["Access-Control-Expose-Headers"], "Spam")

-        a = client.get("/", headers={"ORIGIN": "http://example.tld"})
+        a = client.get("/", headers={"Origin": "http://example.tld"})
        self.assertEqual(a.headers["Access-Control-Allow-Origin"], "http://example.tld")

-        b = client.get("/", headers={"ORIGIN": "http://example.tld"})
+        b = client.get("/", headers={"Origin": "http://example.tld"})
        self.assertEqual(b.headers["Access-Control-Allow-Origin"], "http://example.tld")

-        c = client.get("/", headers={"ORIGIN": "http://foo.other"})
+        c = client.get("/", headers={"Origin": "http://foo.other"})
        self.assertEqual(c.headers["Access-Control-Allow-Origin"], "https://example.tld")


@ -55,7 +54,7 @@ class CORSTest(unittest.TestCase):
                             allowed=("Foo", ), exposed=("Bar", ))
        client = Client(app, Response)

-        rv = client.open(method="OPTIONS", path="/", headers={"ORIGIN": "http://example.tld"})
+        rv = client.open(method="OPTIONS", path="/", headers={"Origin": "http://example.tld"})
        self.assertEqual(rv.status_code, 200)

        for hdr in ("Origin", "Headers", "Credentials", "Methods"):
--- a/isso/tests/test_wsgi.py
+++ b/isso/tests/test_wsgi.py
@ -46,3 +46,4 @@ class TestWSGIUtilities(unittest.TestCase):
                         "http://foo.bar")
        self.assertEqual(origin({"HTTP_ORIGIN": "http://spam.baz"}),
                         "http://foo.bar")
+        self.assertEqual(origin({}), "http://foo.bar")
--- a/isso/wsgi.py
+++ b/isso/wsgi.py
@ -81,10 +81,13 @@ def origin(hosts):

    def func(environ):

+        if not hosts:
+            return "http://invalid.local"
+
        loc = environ.get("HTTP_ORIGIN", environ.get("HTTP_REFERER", None))

-        if not hosts or not loc:
-            return "http://invalid.local"
+        if loc is None:
+            return urljoin(*hosts[0])

        for split in hosts:
            if urlsplit(loc) == split: