68 lines
2.2 KiB
Python
68 lines
2.2 KiB
Python
"""Test headers middleware."""
|
|
|
|
from http import HTTPStatus
|
|
|
|
from aiohttp import web
|
|
from aiohttp.web_exceptions import HTTPUnauthorized
|
|
|
|
from homeassistant.components.http.headers import setup_headers
|
|
|
|
from tests.typing import ClientSessionGenerator
|
|
|
|
|
|
async def mock_handler(_: web.Request) -> web.Response:
|
|
"""Return OK."""
|
|
return web.Response(text="OK")
|
|
|
|
|
|
async def mock_handler_error(_: web.Request) -> web.Response:
|
|
"""Return Unauthorized."""
|
|
raise HTTPUnauthorized(text="Ah ah ah, you didn't say the magic word")
|
|
|
|
|
|
async def test_headers_added(aiohttp_client: ClientSessionGenerator) -> None:
|
|
"""Test that headers are being added on each request."""
|
|
app = web.Application()
|
|
app.router.add_get("/", mock_handler)
|
|
app.router.add_get("/error", mock_handler_error)
|
|
|
|
setup_headers(app, use_x_frame_options=True)
|
|
|
|
mock_api_client = await aiohttp_client(app)
|
|
resp = await mock_api_client.get("/")
|
|
|
|
assert resp.status == HTTPStatus.OK
|
|
assert resp.headers["Referrer-Policy"] == "no-referrer"
|
|
assert resp.headers["Server"] == ""
|
|
assert resp.headers["X-Content-Type-Options"] == "nosniff"
|
|
assert resp.headers["X-Frame-Options"] == "SAMEORIGIN"
|
|
|
|
resp = await mock_api_client.get("/error")
|
|
|
|
assert resp.status == HTTPStatus.UNAUTHORIZED
|
|
assert resp.headers["Referrer-Policy"] == "no-referrer"
|
|
assert resp.headers["Server"] == ""
|
|
assert resp.headers["X-Content-Type-Options"] == "nosniff"
|
|
assert resp.headers["X-Frame-Options"] == "SAMEORIGIN"
|
|
|
|
|
|
async def test_allow_framing(aiohttp_client: ClientSessionGenerator) -> None:
|
|
"""Test that we allow framing when disabled."""
|
|
app = web.Application()
|
|
app.router.add_get("/", mock_handler)
|
|
app.router.add_get("/error", mock_handler_error)
|
|
|
|
setup_headers(app, use_x_frame_options=False)
|
|
|
|
mock_api_client = await aiohttp_client(app)
|
|
resp = await mock_api_client.get("/")
|
|
|
|
assert resp.status == HTTPStatus.OK
|
|
assert "X-Frame-Options" not in resp.headers
|
|
|
|
mock_api_client = await aiohttp_client(app)
|
|
resp = await mock_api_client.get("/error")
|
|
|
|
assert resp.status == HTTPStatus.UNAUTHORIZED
|
|
assert "X-Frame-Options" not in resp.headers
|