class CorsIntegrationTest

Same name and namespace in other branches

11.x core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php \Drupal\FunctionalTests\HttpKernel\CorsIntegrationTest
9 core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php \Drupal\FunctionalTests\HttpKernel\CorsIntegrationTest
10 core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php \Drupal\FunctionalTests\HttpKernel\CorsIntegrationTest

Tests CORS provided by Drupal.

@group Http

Hierarchy

class \Drupal\Tests\BrowserTestBase uses \Drupal\Core\Test\FunctionalTestSetupTrait, \Drupal\Tests\UiHelperTrait, \Drupal\Core\Test\TestSetupTrait, \Drupal\Tests\block\Traits\BlockCreationTrait, \Drupal\FunctionalTests\AssertLegacyTrait, \Drupal\Tests\RandomGeneratorTrait, \Drupal\Tests\node\Traits\NodeCreationTrait, \Drupal\Tests\node\Traits\ContentTypeCreationTrait, \Drupal\Tests\ConfigTestTrait, \Drupal\Tests\TestRequirementsTrait, \Drupal\Tests\user\Traits\UserCreationTrait, \Drupal\Tests\XdebugRequestTrait, \Drupal\Tests\PhpunitCompatibilityTrait implements \PHPUnit\Framework\TestCase
- class \Drupal\FunctionalTests\HttpKernel\CorsIntegrationTest implements \Drupal\Tests\BrowserTestBase

Expanded class hierarchy of CorsIntegrationTest

File

core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php, line 17

Namespace

Drupal\FunctionalTests\HttpKernel

View on git.drupalcode.org

View source

class CorsIntegrationTest extends BrowserTestBase {
  
  /**
   * {@inheritdoc}
   */
  public static $modules = [
    'system',
    'test_page_test',
    'page_cache',
  ];
  
  /**
   * {@inheritdoc}
   */
  protected $defaultTheme = 'stark';
  public function testCrossSiteRequest() {
    // Test default parameters.
    $cors_config = $this->container
      ->getParameter('cors.config');
    $this->assertSame(FALSE, $cors_config['enabled']);
    $this->assertSame([], $cors_config['allowedHeaders']);
    $this->assertSame([], $cors_config['allowedMethods']);
    $this->assertSame([
      '*',
    ], $cors_config['allowedOrigins']);
    $this->assertSame(FALSE, $cors_config['exposedHeaders']);
    $this->assertSame(FALSE, $cors_config['maxAge']);
    $this->assertSame(FALSE, $cors_config['supportsCredentials']);
    // Enable CORS with the default options.
    $cors_config['enabled'] = TRUE;
    $this->setContainerParameter('cors.config', $cors_config);
    $this->rebuildContainer();
    // Fire off a request.
    $this->drupalGet('/test-page', [], [
      'Origin' => 'http://example.com',
    ]);
    $this->assertSession()
      ->statusCodeEquals(200);
    $this->assertSession()
      ->responseHeaderEquals('X-Drupal-Cache', 'MISS');
    $this->assertSession()
      ->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
    // Fire the same exact request. This time it should be cached.
    $this->drupalGet('/test-page', [], [
      'Origin' => 'http://example.com',
    ]);
    $this->assertSession()
      ->statusCodeEquals(200);
    $this->assertSession()
      ->responseHeaderEquals('X-Drupal-Cache', 'HIT');
    $this->assertSession()
      ->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
    // Fire a request for a different origin. Verify the CORS header.
    $this->drupalGet('/test-page', [], [
      'Origin' => 'http://example.org',
    ]);
    $this->assertSession()
      ->statusCodeEquals(200);
    $this->assertSession()
      ->responseHeaderEquals('X-Drupal-Cache', 'HIT');
    $this->assertSession()
      ->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.org');
    // Configure the CORS stack to allow a specific set of origins.
    $cors_config['allowedOrigins'] = [
      'http://example.com',
    ];
    $this->setContainerParameter('cors.config', $cors_config);
    $this->rebuildContainer();
    // Fire a request from an origin that isn't allowed.
    /** @var \Symfony\Component\HttpFoundation\Response $response */
    $this->drupalGet('/test-page', [], [
      'Origin' => 'http://non-valid.com',
    ]);
    $this->assertSession()
      ->statusCodeEquals(403);
    $this->assertSession()
      ->pageTextContains('Not allowed.');
    // Specify a valid origin.
    $this->drupalGet('/test-page', [], [
      'Origin' => 'http://example.com',
    ]);
    $this->assertSession()
      ->statusCodeEquals(200);
    $this->assertSession()
      ->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
    // Verify POST still functions with 'Origin' header set to site's domain.
    $origin = \Drupal::request()->getSchemeAndHttpHost();
    /** @var \GuzzleHttp\ClientInterface $httpClient */
    $httpClient = $this->getSession()
      ->getDriver()
      ->getClient()
      ->getClient();
    $url = Url::fromUri('base:/test-page');
    $response = $httpClient->request('POST', $url->setAbsolute()
      ->toString(), [
      'headers' => [
        'Origin' => $origin,
      ],
    ]);
    $this->assertEquals(200, $response->getStatusCode());
  }

}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.

class CorsIntegrationTest

Hierarchy

See also

File

Namespace

Search drupal 8.9.x

API Navigation

Breadcrumb

class CorsIntegrationTest

Hierarchy

See also

File

Namespace

Search drupal 8.9.x

API Navigation