diff options
| author | Tim Graham <timograham@gmail.com> | 2021-01-12 19:55:02 -0500 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-03-18 20:00:22 +0100 |
| commit | dba44a7a7a3581ec722e06fa0f9f33dfc00ed5cd (patch) | |
| tree | a999c49d722b06cc70740b55be21c8f73ae343eb /tests | |
| parent | 9bf5e9418f425666726559c9f1981a516da30aab (diff) | |
Refs #16010 -- Required CSRF_TRUSTED_ORIGINS setting to include the scheme.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/check_framework/test_4_0_compatibility.py | 27 | ||||
| -rw-r--r-- | tests/csrf_tests/tests.py | 4 |
2 files changed, 29 insertions, 2 deletions
diff --git a/tests/check_framework/test_4_0_compatibility.py b/tests/check_framework/test_4_0_compatibility.py new file mode 100644 index 0000000000..9f288f252a --- /dev/null +++ b/tests/check_framework/test_4_0_compatibility.py @@ -0,0 +1,27 @@ +from django.core.checks import Error +from django.core.checks.compatibility.django_4_0 import ( + check_csrf_trusted_origins, +) +from django.test import SimpleTestCase +from django.test.utils import override_settings + + +class CheckCSRFTrustedOrigins(SimpleTestCase): + + @override_settings(CSRF_TRUSTED_ORIGINS=['example.com']) + def test_invalid_url(self): + self.assertEqual(check_csrf_trusted_origins(None), [ + Error( + 'As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS ' + 'setting must start with a scheme (usually http:// or ' + 'https://) but found example.com. See the release notes for ' + 'details.', + id='4_0.E001', + ) + ]) + + @override_settings( + CSRF_TRUSTED_ORIGINS=['http://example.com', 'https://example.com'], + ) + def test_valid_urls(self): + self.assertEqual(check_csrf_trusted_origins(None), []) diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index b1b37c8601..f733d25b02 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -399,7 +399,7 @@ class CsrfViewMiddlewareTestMixin: resp = mw.process_view(req, post_form_view, (), {}) self.assertIsNone(resp) - @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['dashboard.example.com']) + @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['https://dashboard.example.com']) def test_https_csrf_trusted_origin_allowed(self): """ A POST HTTPS request with a referer added to the CSRF_TRUSTED_ORIGINS @@ -414,7 +414,7 @@ class CsrfViewMiddlewareTestMixin: resp = mw.process_view(req, post_form_view, (), {}) self.assertIsNone(resp) - @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['.example.com']) + @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_TRUSTED_ORIGINS=['https://*.example.com']) def test_https_csrf_wildcard_trusted_origin_allowed(self): """ A POST HTTPS request with a referer that matches a CSRF_TRUSTED_ORIGINS |
