* use quote instead of quote_plus for RedirectResponse location header
adjust safe characters: rem. duplicate & symbol
add test for redirect quoting
* remove unused import
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
* Set explicit Origin in CORS preflight response if allow_credentials is True and allow_origins is wildcard
When making a preflight request, the browser makes no indication as to whether the actual subsequent
request will pass up credentials. However, unless the preflight response explicitly allows the
request's `Origin` in the `Access-Control-Response-Header`, the browser will fail the CORS check and
prevent the actual follow-up CORS request. This means that responding with the `*` wildcard is not
sufficient to allow preflighted credentialed requests. The current workaround is to provide an
equivalently permissive `allow_origin_regex` pattern.
The `simple_response()` code already performs similar logic which currently only applies to
non-preflighted requests since the browser would never make a preflighted request that hits this
code due to this issue:
```
if self.allow_all_origins and has_cookie:
headers["Access-Control-Allow-Origin"] = origin
```
This just bring the two halves inline with each other.
* Add Vary header to preflight response if allow_credentials
* Use allow_explicit_origin() for preflight request_headers
This simplifies the code slightly by using this recently added method.
It has some trade-offs, though. We now construct a `MutableHeaders` instead of a simple `dict` when
copying the pre-computed preflight headers, and we move the `Vary` header construction out of the
pre-computation and into the call handler.
I think it makes the code more maintainable and the added per-call computation is minimal.
* Convert MutableHeaders to dict for PlainTextResponse
* Revert back to dict() for preflight headers
This also names and caches some of the boolean tests in __init__() which we use in later if-blocks.
This follows the existing pattern in order to better self-document the code.
* Clean up comments
* Remove unused self.allow_credentials attribute
* Add HEAD to CORS ALL_METHODS list
The HEAD method is conspicuously absent from the allowed methods list when `allow_methods="*"` is
used. This doesn't really affect CORS preflight requests, as HEAD requests aren't preflighted by the
browser, but it does prevent the actual cross-origin HEAD response from being read by the calling
app.
[This can catch people off-guard.](https://discuss.encode.io/t/for-cors-middleware-why-is-head-not-included-in-all-methods/939)
This simply adds HEAD to the `ALL_METHODS` list in the CORS middleware module and includes some
additional tests to validate the new behavior.
* Update tests/middleware/test_cors.py to use more explicit status code check
Co-authored-by: euri10 <euri10@users.noreply.github.com>
Co-authored-by: euri10 <euri10@users.noreply.github.com>
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
* Add Origin to Vary header on credentialed CORS response
According to the [MDN CORS docs]
(https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Access-Control-Allow-Origin), the `Origin`
item should be added to the `Vary` header when the `Access-Control-Allow-Origin` is set to an
explicit origin value, as opposed to the `*` wildcard.
>If the server specifies a single origin (that may dynamically change based on the requesting origin
as part of a white-list) rather than the "*" wildcard, then the server should also include Origin in
the Vary response header — to indicate to clients that server responses will differ based on the
value of the Origin request header.
The existing code fails to update the `Vary` list when the server is configured to allow all
origins (`*`) and the request has a `Cookie` header (ie. credentialed). In that situation, the
`Access-Control-Allow-Origin` header will be set to the request's `Origin` value.
It appears this may have just been a simple oversight in the original implementation. This updates
the code to add `Origin` to the `Vary` header under these circumstancesIf it was intentionally
omitted, I'd be delighted to learn why.
* Add type annotations
* Add test to ensure that the vary header does not contain origin if request is non-credentialed
* Make session cookie use ASGI root path
* Check if ASGI root_path exists before using it
Co-authored-by: Tom Christie <tom@tomchristie.com>
* Remove comment
* Add test
Co-authored-by: Mahmoud Hanafy <mahmoud.hanafy@retresco.de>
Co-authored-by: Tom Christie <tom@tomchristie.com>
* StaticFiles: Fix cache validation bug for deleted files in html mode
Previously StaticFiles would return 304 for a deleted file if its
Last-Modified date was the same as that of 404.html
* Use black formatter
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
There is a small typo in starlette/middleware/gzip.py.
Should read `outgoing` rather than `ougoging`.
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
* Add __init__ file for tests.middleware so Mypy 0.800 is happy
* testclient: Tie loop lifetime to thread
* ServerErrorMiddleware: Don't use undocumented TracebackException.exc_traceback attribute
* Allow usage of async partial methods
* Added test for partial async endpoint
* Double quotes vs single quotes
* Support multiple levels of partials, check Python < 3.8
* Skip coverage for py3.8 branch
Co-authored-by: Florimond Manca <florimond.manca@gmail.com>
* Use format_exception instead of format_tb
This gives much more information about the exception, including causes, and the exception message itself, in addition to the trackback
* Update test
Co-authored-by: Jamie Hewland <jhewland@gmail.com>
* Update CI scripts to match httpcore
* Run test suite on pushes to master
* Update scripts README
* Don't bother with flake8 extensions for now
* Remove unnecessary PYTHONPATH from build, publish
* test_routing: Use a stub app instead of ellipsis
* Add link to issue about type-checking tests
Andrey Sobolev