test/integration/cors_test.rb

   1 require "test_helper"
   2
   3 class CORSTest < ActionDispatch::IntegrationTest
   4   def test_api_routes_allow_cross_origin_requests
   5     options "/api/capabilities", :headers => {
   6       "Origin" => "http://www.example.com",
   7       "Access-Control-Request-Method" => "GET"
   8     }
   9
  10     assert_response :success
  11     assert_equal "*", response.headers["Access-Control-Allow-Origin"]
  12     assert_nil response.headers["Vary"]
  13     assert_nil response.media_type
  14     assert_equal "", response.body
  15
  16     get "/api/capabilities", :headers => {
  17       "Origin" => "http://www.example.com",
  18       "Access-Control-Request-Method" => "GET"
  19     }
  20
  21     assert_response :success
  22     assert_equal "*", response.headers["Access-Control-Allow-Origin"]
  23     assert_equal "Origin", response.headers["Vary"]
  24     assert_equal "application/xml", response.media_type
  25   end
  26
  27   def test_non_api_routes_dont_allow_cross_origin_requests
  28     options "/", :headers => {
  29       "Origin" => "http://www.example.com",
  30       "Access-Control-Request-Method" => "GET"
  31     }
  32
  33     assert_response :success
  34     assert_nil response.headers["Access-Control-Allow-Origin"]
  35     assert_nil response.media_type
  36     assert_equal "", response.body
  37
  38     get "/", :headers => {
  39       "Origin" => "http://www.example.com",
  40       "Access-Control-Request-Method" => "GET"
  41     }
  42
  43     assert_response :success
  44     assert_nil response.headers["Access-Control-Allow-Origin"]
  45     assert_equal "text/html", response.media_type
  46   end
  47 end