Skip to content

Commit cfdc8d4

Browse files
edwardsphedwardsph
authored
Server not required to send Access-Control-Allow-Credentials (#78)
* Server not required to send Access-Control-Allow-Credentials * Don't test for vary header on POST or 401 responses as it doesn't make sense
1 parent 9fea2e3 commit cfdc8d4

4 files changed

Lines changed: 13 additions & 24 deletions

File tree

protocol/cors/access-control-headers.feature

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@ Feature: Server must respond to requests sending Origin with the appropriate Acc
1515
When method <method>
1616
Then match <statuses> contains responseStatus
1717
And match header Access-Control-Allow-Origin == 'https://tester'
18-
And match header Access-Control-Allow-Credentials == 'true'
1918
Examples:
2019
| method | headers! | body | statuses |
2120
| GET | {Accept: 'text/turtle'} | def ignore = 1 | [401] |
@@ -31,7 +30,6 @@ Feature: Server must respond to requests sending Origin with the appropriate Acc
3130
When method <method>
3231
Then match <statuses> contains responseStatus
3332
And match header Access-Control-Allow-Origin == 'https://tester'
34-
And match header Access-Control-Allow-Credentials == 'true'
3533
Examples:
3634
| method | headers! | body | statuses |
3735
| GET | {Accept: 'text/turtle'} | def ignore = 1 | [200] |

protocol/cors/preflight-requests.feature

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,6 @@ Feature: Server must implement the CORS protocol for preflight requests
1616
And match header Access-Control-Allow-Headers contains 'X-CUSTOM'
1717
And match header Access-Control-Allow-Headers contains 'Content-Type'
1818
And match header Access-Control-Allow-Headers contains 'Accept'
19-
And match header Access-Control-Allow-Credentials == 'true'
2019
And match header Access-Control-Expose-Headers != null
2120
And match response == ''
2221

@@ -29,17 +28,17 @@ Feature: Server must implement the CORS protocol for preflight requests
2928
When method <method>
3029
Then match <statuses> contains responseStatus
3130
And match header Access-Control-Allow-Origin == 'https://tester'
32-
And match header Access-Control-Allow-Credentials == 'true'
3331
And match header Access-Control-Expose-Headers != null
3432
And match header Access-Control-Expose-Headers != '*'
3533
# Check Content-Type on GET request only
36-
And <check>
37-
And match header Vary contains 'Origin'
34+
And <checkContentType>
35+
# Check Vary on GET/HEAD requests only
36+
And <checkVary>
3837
Examples:
39-
| method | body | statuses | check |
40-
| GET | def ignore = 1 | [200] | match header Content-Type contains 'text/turtle' |
41-
| HEAD | def ignore = 1 | [200] | def ignore = 1 |
42-
| POST | request "Hello" | [200, 201, 204, 205] | def ignore = 1 |
38+
| method | body | | statuses | checkContentType | checkVary |
39+
| GET | def ignore = 1 | | [200] | match header Content-Type contains 'text/turtle' | match header Vary contains 'Origin' |
40+
| HEAD | def ignore = 1 | | [200] | def ignore = 1 | match header Vary contains 'Origin' |
41+
| POST | request "Hello" | | [200, 201, 204, 205] | def ignore = 1 | def ignore = 1 |
4342

4443
@http-redirect
4544
Scenario: OPTIONS request returns headers for pre-flight check after redirect from http
@@ -62,6 +61,5 @@ Feature: Server must implement the CORS protocol for preflight requests
6261
And match header Access-Control-Allow-Methods contains 'POST'
6362
And match header Access-Control-Allow-Headers contains 'X-CUSTOM'
6463
And match header Access-Control-Allow-Headers contains 'Content-Type'
65-
And match header Access-Control-Allow-Credentials == 'true'
6664
And match header Access-Control-Expose-Headers != null
6765
And match response == ''

protocol/cors/preflight.feature

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ Feature: Server must support HTTP OPTIONS for CORS preflight requests
1414
And match header Access-Control-Allow-Methods contains 'POST'
1515
And match header Access-Control-Allow-Headers contains 'X-CUSTOM'
1616
And match header Access-Control-Allow-Headers contains 'Content-Type'
17-
And match header Access-Control-Allow-Credentials == 'true'
1817
# We should check the list of headers exposed but what is the required list
1918
And match header Access-Control-Expose-Headers != null
2019
And match response == ''
@@ -39,7 +38,6 @@ Feature: Server must support HTTP OPTIONS for CORS preflight requests
3938
And match header Access-Control-Allow-Methods contains 'POST'
4039
And match header Access-Control-Allow-Headers contains 'X-CUSTOM'
4140
And match header Access-Control-Allow-Headers contains 'Content-Type'
42-
And match header Access-Control-Allow-Credentials == 'true'
4341
# We should check the list of headers exposed but what is the required list
4442
And match header Access-Control-Expose-Headers != null
4543
And match response == ''

protocol/cors/simple-requests.feature

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,8 @@ Feature: Server must implement the CORS protocol for simple requests
1515
When method <method>
1616
Then match <statuses> contains responseStatus
1717
And match header Access-Control-Allow-Origin == 'https://tester'
18-
And match header Access-Control-Allow-Credentials == 'true'
1918
And match header Access-Control-Expose-Headers != null
2019
And match header Access-Control-Expose-Headers != '*'
21-
And match header Vary contains 'Origin'
2220
Examples:
2321
| method | headers! | body | statuses |
2422
| GET | {Accept: 'text/turtle'} | def ignore = 1 | [401] |
@@ -33,10 +31,8 @@ Feature: Server must implement the CORS protocol for simple requests
3331
When method <method>
3432
Then match <statuses> contains responseStatus
3533
And match header Access-Control-Allow-Origin == 'https://tester'
36-
And match header Access-Control-Allow-Credentials == 'true'
3734
And match header Access-Control-Expose-Headers != null
3835
And match header Access-Control-Expose-Headers != '*'
39-
And match header Vary contains 'Origin'
4036
Examples:
4137
| method | headers! | body | statuses |
4238
| GET | {Accept: 'text/plain'} | def ignore = 1 | [401] |
@@ -51,15 +47,15 @@ Feature: Server must implement the CORS protocol for simple requests
5147
When method <method>
5248
Then match <statuses> contains responseStatus
5349
And match header Access-Control-Allow-Origin == 'https://tester'
54-
And match header Access-Control-Allow-Credentials == 'true'
5550
And match header Access-Control-Expose-Headers != null
5651
And match header Access-Control-Expose-Headers != '*'
57-
And match header Vary contains 'Origin'
52+
# Check Vary on GET/HEAD requests only
53+
And <checkVary>
5854
Examples:
59-
| method | headers! | body | statuses |
60-
| GET | {Accept: 'text/turtle'} | def ignore = 1 | [200] |
61-
| HEAD | {} | def ignore = 1 | [200] |
62-
| POST | {'Content-Type': 'text/plain'} | request "Hello" | [200, 201, 204, 205] |
55+
| method | headers! | body | statuses | checkVary |
56+
| GET | {Accept: 'text/turtle'} | def ignore = 1 | [200] | match header Vary contains 'Origin' |
57+
| HEAD | {} | def ignore = 1 | [200] | match header Vary contains 'Origin' |
58+
| POST | {'Content-Type': 'text/plain'} | request "Hello" | [200, 201, 204, 205] | def ignore = 1 |
6359

6460
Scenario Outline: Requests resource with credentials: <method> request returns access control headers
6561
Given url resource.url
@@ -70,7 +66,6 @@ Feature: Server must implement the CORS protocol for simple requests
7066
When method <method>
7167
Then match <statuses> contains responseStatus
7268
And match header Access-Control-Allow-Origin == 'https://tester'
73-
And match header Access-Control-Allow-Credentials == 'true'
7469
And match header Access-Control-Expose-Headers != null
7570
And match header Access-Control-Expose-Headers != '*'
7671
And match header Vary contains 'Origin'

0 commit comments

Comments
 (0)