Chris@0
|
1 <?php
|
Chris@0
|
2
|
Chris@0
|
3 namespace Drupal\FunctionalTests\HttpKernel;
|
Chris@0
|
4
|
Chris@0
|
5 use Drupal\Core\Url;
|
Chris@0
|
6 use Drupal\Tests\BrowserTestBase;
|
Chris@0
|
7
|
Chris@0
|
8 /**
|
Chris@0
|
9 * Tests CORS provided by Drupal.
|
Chris@0
|
10 *
|
Chris@0
|
11 * @see sites/default/default.services.yml
|
Chris@0
|
12 * @see \Asm89\Stack\Cors
|
Chris@0
|
13 * @see \Asm89\Stack\CorsService
|
Chris@0
|
14 *
|
Chris@0
|
15 * @group Http
|
Chris@0
|
16 */
|
Chris@0
|
17 class CorsIntegrationTest extends BrowserTestBase {
|
Chris@0
|
18
|
Chris@0
|
19 /**
|
Chris@0
|
20 * {@inheritdoc}
|
Chris@0
|
21 */
|
Chris@0
|
22 public static $modules = ['system', 'test_page_test', 'page_cache'];
|
Chris@0
|
23
|
Chris@0
|
24 public function testCrossSiteRequest() {
|
Chris@0
|
25 // Test default parameters.
|
Chris@0
|
26 $cors_config = $this->container->getParameter('cors.config');
|
Chris@0
|
27 $this->assertSame(FALSE, $cors_config['enabled']);
|
Chris@0
|
28 $this->assertSame([], $cors_config['allowedHeaders']);
|
Chris@0
|
29 $this->assertSame([], $cors_config['allowedMethods']);
|
Chris@0
|
30 $this->assertSame(['*'], $cors_config['allowedOrigins']);
|
Chris@0
|
31
|
Chris@0
|
32 $this->assertSame(FALSE, $cors_config['exposedHeaders']);
|
Chris@0
|
33 $this->assertSame(FALSE, $cors_config['maxAge']);
|
Chris@0
|
34 $this->assertSame(FALSE, $cors_config['supportsCredentials']);
|
Chris@0
|
35
|
Chris@0
|
36 // Enable CORS with the default options.
|
Chris@0
|
37 $cors_config['enabled'] = TRUE;
|
Chris@0
|
38
|
Chris@0
|
39 $this->setContainerParameter('cors.config', $cors_config);
|
Chris@0
|
40 $this->rebuildContainer();
|
Chris@0
|
41
|
Chris@0
|
42 // Fire off a request.
|
Chris@0
|
43 $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
|
Chris@0
|
44 $this->assertSession()->statusCodeEquals(200);
|
Chris@0
|
45 $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'MISS');
|
Chris@0
|
46 $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
|
Chris@0
|
47
|
Chris@0
|
48 // Fire the same exact request. This time it should be cached.
|
Chris@0
|
49 $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
|
Chris@0
|
50 $this->assertSession()->statusCodeEquals(200);
|
Chris@0
|
51 $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT');
|
Chris@0
|
52 $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
|
Chris@0
|
53
|
Chris@0
|
54 // Fire a request for a different origin. Verify the CORS header.
|
Chris@0
|
55 $this->drupalGet('/test-page', [], ['Origin' => 'http://example.org']);
|
Chris@0
|
56 $this->assertSession()->statusCodeEquals(200);
|
Chris@0
|
57 $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT');
|
Chris@0
|
58 $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.org');
|
Chris@0
|
59
|
Chris@0
|
60 // Configure the CORS stack to allow a specific set of origins.
|
Chris@0
|
61 $cors_config['allowedOrigins'] = ['http://example.com'];
|
Chris@0
|
62
|
Chris@0
|
63 $this->setContainerParameter('cors.config', $cors_config);
|
Chris@0
|
64 $this->rebuildContainer();
|
Chris@0
|
65
|
Chris@0
|
66 // Fire a request from an origin that isn't allowed.
|
Chris@0
|
67 /** @var \Symfony\Component\HttpFoundation\Response $response */
|
Chris@0
|
68 $this->drupalGet('/test-page', [], ['Origin' => 'http://non-valid.com']);
|
Chris@0
|
69 $this->assertSession()->statusCodeEquals(403);
|
Chris@0
|
70 $this->assertSession()->pageTextContains('Not allowed.');
|
Chris@0
|
71
|
Chris@0
|
72 // Specify a valid origin.
|
Chris@0
|
73 $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
|
Chris@0
|
74 $this->assertSession()->statusCodeEquals(200);
|
Chris@0
|
75 $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
|
Chris@0
|
76
|
Chris@0
|
77 // Verify POST still functions with 'Origin' header set to site's domain.
|
Chris@0
|
78 $origin = \Drupal::request()->getSchemeAndHttpHost();
|
Chris@0
|
79
|
Chris@0
|
80 /** @var \GuzzleHttp\ClientInterface $httpClient */
|
Chris@0
|
81 $httpClient = $this->getSession()->getDriver()->getClient()->getClient();
|
Chris@0
|
82 $url = Url::fromUri('base:/test-page');
|
Chris@0
|
83 $response = $httpClient->request('POST', $url->setAbsolute()->toString(), [
|
Chris@0
|
84 'headers' => [
|
Chris@0
|
85 'Origin' => $origin,
|
Chris@17
|
86 ],
|
Chris@0
|
87 ]);
|
Chris@0
|
88 $this->assertEquals(200, $response->getStatusCode());
|
Chris@0
|
89 }
|
Chris@0
|
90
|
Chris@0
|
91 }
|