test/integration/cors_test.rb

   1 # frozen_string_literal: true
   2
   3 require "test_helper"
   4
   5 class CORSTest < ActionDispatch::IntegrationTest
   6   def test_api_routes_allow_cross_origin_requests
   7     options "/api/capabilities", :headers => {
   8       "Origin" => "http://www.example.com",
   9       "Access-Control-Request-Method" => "GET"
  10     }
  11
  12     assert_response :success
  13     assert_equal "*", response.headers["Access-Control-Allow-Origin"]
  14     assert_nil response.headers["Vary"]
  15     assert_nil response.media_type
  16     assert_equal "", response.body
  17
  18     get "/api/capabilities", :headers => {
  19       "Origin" => "http://www.example.com",
  20       "Access-Control-Request-Method" => "GET"
  21     }
  22
  23     assert_response :success
  24     assert_equal "*", response.headers["Access-Control-Allow-Origin"]
  25     assert_equal "Origin", response.headers["Vary"]
  26     assert_equal "application/xml", response.media_type
  27   end
  28
  29   def test_non_api_routes_dont_allow_cross_origin_requests
  30     options "/", :headers => {
  31       "Origin" => "http://www.example.com",
  32       "Access-Control-Request-Method" => "GET"
  33     }
  34
  35     assert_response :success
  36     assert_nil response.headers["Access-Control-Allow-Origin"]
  37     assert_nil response.media_type
  38     assert_equal "", response.body
  39
  40     get "/", :headers => {
  41       "Origin" => "http://www.example.com",
  42       "Access-Control-Request-Method" => "GET"
  43     }
  44
  45     assert_response :success
  46     assert_nil response.headers["Access-Control-Allow-Origin"]
  47     assert_equal "text/html", response.media_type
  48   end
  49 end