diff options
| author | Ben Lomax <lomax.on.the.run@gmail.com> | 2023-04-26 06:48:33 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-05-20 15:23:52 +0200 |
| commit | b43936f2ec37f47277899a91a5464091bd80ad3a (patch) | |
| tree | 751426926029a13344c3c5c22add90af4fafd36c | |
| parent | a2da81fe083a9dbc37b8355c25fdc23e3b58d16f (diff) | |
Moved clickjacking decorator tests into decorators/test_clickjacking.py.
This also adds extra assertions.
| -rw-r--r-- | tests/decorators/test_clickjacking.py | 50 | ||||
| -rw-r--r-- | tests/decorators/tests.py | 57 |
2 files changed, 50 insertions, 57 deletions
diff --git a/tests/decorators/test_clickjacking.py b/tests/decorators/test_clickjacking.py new file mode 100644 index 0000000000..278950082d --- /dev/null +++ b/tests/decorators/test_clickjacking.py @@ -0,0 +1,50 @@ +from django.http import HttpRequest, HttpResponse +from django.middleware.clickjacking import XFrameOptionsMiddleware +from django.test import SimpleTestCase +from django.views.decorators.clickjacking import ( + xframe_options_deny, + xframe_options_exempt, + xframe_options_sameorigin, +) + + +class XFrameOptionsDenyTests(SimpleTestCase): + def test_decorator_sets_x_frame_options_to_deny(self): + @xframe_options_deny + def a_view(request): + return HttpResponse() + + response = a_view(HttpRequest()) + self.assertEqual(response.headers["X-Frame-Options"], "DENY") + + +class XFrameOptionsSameoriginTests(SimpleTestCase): + def test_decorator_sets_x_frame_options_to_sameorigin(self): + @xframe_options_sameorigin + def a_view(request): + return HttpResponse() + + response = a_view(HttpRequest()) + self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN") + + +class XFrameOptionsExemptTests(SimpleTestCase): + def test_decorator_stops_x_frame_options_being_set(self): + """ + @xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set + the header. + """ + + @xframe_options_exempt + def a_view(request): + return HttpResponse() + + request = HttpRequest() + response = a_view(request) + self.assertIsNone(response.get("X-Frame-Options", None)) + self.assertIs(response.xframe_options_exempt, True) + + # The real purpose of the exempt decorator is to suppress the + # middleware's functionality. + middleware_response = XFrameOptionsMiddleware(a_view)(request) + self.assertIsNone(middleware_response.get("X-Frame-Options")) diff --git a/tests/decorators/tests.py b/tests/decorators/tests.py index 48f24503d0..2d10c33188 100644 --- a/tests/decorators/tests.py +++ b/tests/decorators/tests.py @@ -8,17 +8,11 @@ from django.contrib.auth.decorators import ( user_passes_test, ) from django.http import HttpRequest, HttpResponse, HttpResponseNotAllowed -from django.middleware.clickjacking import XFrameOptionsMiddleware from django.test import SimpleTestCase from django.utils.decorators import method_decorator from django.utils.functional import keep_lazy, keep_lazy_text, lazy from django.utils.safestring import mark_safe from django.views.decorators.cache import cache_control, cache_page, never_cache -from django.views.decorators.clickjacking import ( - xframe_options_deny, - xframe_options_exempt, - xframe_options_sameorigin, -) from django.views.decorators.http import ( condition, require_GET, @@ -463,54 +457,3 @@ class MethodDecoratorTests(SimpleTestCase): Test().method() self.assertEqual(func_name, "method") self.assertIsNotNone(func_module) - - -class XFrameOptionsDecoratorsTests(TestCase): - """ - Tests for the X-Frame-Options decorators. - """ - - def test_deny_decorator(self): - """ - Ensures @xframe_options_deny properly sets the X-Frame-Options header. - """ - - @xframe_options_deny - def a_view(request): - return HttpResponse() - - r = a_view(HttpRequest()) - self.assertEqual(r.headers["X-Frame-Options"], "DENY") - - def test_sameorigin_decorator(self): - """ - Ensures @xframe_options_sameorigin properly sets the X-Frame-Options - header. - """ - - @xframe_options_sameorigin - def a_view(request): - return HttpResponse() - - r = a_view(HttpRequest()) - self.assertEqual(r.headers["X-Frame-Options"], "SAMEORIGIN") - - def test_exempt_decorator(self): - """ - Ensures @xframe_options_exempt properly instructs the - XFrameOptionsMiddleware to NOT set the header. - """ - - @xframe_options_exempt - def a_view(request): - return HttpResponse() - - req = HttpRequest() - resp = a_view(req) - self.assertIsNone(resp.get("X-Frame-Options", None)) - self.assertTrue(resp.xframe_options_exempt) - - # Since the real purpose of the exempt decorator is to suppress - # the middleware's functionality, let's make sure it actually works... - r = XFrameOptionsMiddleware(a_view)(req) - self.assertIsNone(r.get("X-Frame-Options", None)) |
