From 765a91fefbbfb4718fe4c4f43256e0a88dd5a4b5 Mon Sep 17 00:00:00 2001
From: Martin Zimmermann <info@posativ.org>
Date: Sat, 29 Mar 2014 12:58:08 +0100
Subject: [PATCH] return first item of [general] -> host if origin is hidden

A minor regression introduced by the latest refactorings. A functional
test is now included. Only affects Firefox users that use non-SSL and
supress their HTTP Referer completely
---
 isso/tests/test_cors.py | 11 +++++------
 isso/tests/test_wsgi.py |  1 +
 isso/wsgi.py            |  7 +++++--
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/isso/tests/test_cors.py b/isso/tests/test_cors.py
index c8f7258..4cfc20d 100644
--- a/isso/tests/test_cors.py
+++ b/isso/tests/test_cors.py
@@ -25,13 +25,12 @@ class CORSTest(unittest.TestCase):
             origin=origin([
                 "https://example.tld/",
                 "http://example.tld/",
-                "http://example.tld",
             ]),
             allowed=("Foo", "Bar"), exposed=("Spam", ))
 
         client = Client(app, Response)
 
-        rv = client.get("/", headers={"ORIGIN": "https://example.tld"})
+        rv = client.get("/", headers={"Origin": "https://example.tld"})
 
         self.assertEqual(rv.headers["Access-Control-Allow-Origin"], "https://example.tld")
         self.assertEqual(rv.headers["Access-Control-Allow-Credentials"], "true")
@@ -39,13 +38,13 @@ class CORSTest(unittest.TestCase):
         self.assertEqual(rv.headers["Access-Control-Allow-Headers"], "Foo, Bar")
         self.assertEqual(rv.headers["Access-Control-Expose-Headers"], "Spam")
 
-        a = client.get("/", headers={"ORIGIN": "http://example.tld"})
+        a = client.get("/", headers={"Origin": "http://example.tld"})
         self.assertEqual(a.headers["Access-Control-Allow-Origin"], "http://example.tld")
 
-        b = client.get("/", headers={"ORIGIN": "http://example.tld"})
+        b = client.get("/", headers={"Origin": "http://example.tld"})
         self.assertEqual(b.headers["Access-Control-Allow-Origin"], "http://example.tld")
 
-        c = client.get("/", headers={"ORIGIN": "http://foo.other"})
+        c = client.get("/", headers={"Origin": "http://foo.other"})
         self.assertEqual(c.headers["Access-Control-Allow-Origin"], "https://example.tld")
 
 
@@ -55,7 +54,7 @@ class CORSTest(unittest.TestCase):
                              allowed=("Foo", ), exposed=("Bar", ))
         client = Client(app, Response)
 
-        rv = client.open(method="OPTIONS", path="/", headers={"ORIGIN": "http://example.tld"})
+        rv = client.open(method="OPTIONS", path="/", headers={"Origin": "http://example.tld"})
         self.assertEqual(rv.status_code, 200)
 
         for hdr in ("Origin", "Headers", "Credentials", "Methods"):
diff --git a/isso/tests/test_wsgi.py b/isso/tests/test_wsgi.py
index 516858e..17e0b12 100644
--- a/isso/tests/test_wsgi.py
+++ b/isso/tests/test_wsgi.py
@@ -46,3 +46,4 @@ class TestWSGIUtilities(unittest.TestCase):
                          "http://foo.bar")
         self.assertEqual(origin({"HTTP_ORIGIN": "http://spam.baz"}),
                          "http://foo.bar")
+        self.assertEqual(origin({}), "http://foo.bar")
diff --git a/isso/wsgi.py b/isso/wsgi.py
index 984ada4..35e06e0 100644
--- a/isso/wsgi.py
+++ b/isso/wsgi.py
@@ -81,10 +81,13 @@ def origin(hosts):
 
     def func(environ):
 
+        if not hosts:
+            return "http://invalid.local"
+
         loc = environ.get("HTTP_ORIGIN", environ.get("HTTP_REFERER", None))
 
-        if not hosts or not loc:
-            return "http://invalid.local"
+        if loc is None:
+            return urljoin(*hosts[0])
 
         for split in hosts:
             if urlsplit(loc) == split: