Implemented better testing and fixed skipepd frames
This commit is contained in:
@@ -0,0 +1,72 @@
|
||||
package wshub
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// TestCheckOrigin_NoOriginHeader — non-browser clients (no Origin) are allowed.
|
||||
func TestCheckOrigin_NoOriginHeader(t *testing.T) {
|
||||
r := &http.Request{Header: http.Header{}}
|
||||
if !checkOrigin(r) {
|
||||
t.Fatal("non-browser client (no Origin header) should be allowed")
|
||||
}
|
||||
}
|
||||
|
||||
// TestCheckOrigin_SameOrigin — Origin host matching Host header is allowed.
|
||||
func TestCheckOrigin_SameOrigin(t *testing.T) {
|
||||
r := &http.Request{
|
||||
Header: http.Header{
|
||||
"Origin": []string{"http://localhost:8090"},
|
||||
},
|
||||
Host: "localhost:8090",
|
||||
}
|
||||
if !checkOrigin(r) {
|
||||
t.Fatal("same-origin request should be allowed")
|
||||
}
|
||||
}
|
||||
|
||||
// TestCheckOrigin_CrossOriginBlocked — different Origin host is rejected.
|
||||
func TestCheckOrigin_CrossOriginBlocked(t *testing.T) {
|
||||
r := &http.Request{
|
||||
Header: http.Header{
|
||||
"Origin": []string{"http://evil.example.com:8090"},
|
||||
},
|
||||
Host: "localhost:8090",
|
||||
}
|
||||
if checkOrigin(r) {
|
||||
t.Fatal("cross-origin request should be blocked")
|
||||
}
|
||||
}
|
||||
|
||||
// TestCheckOrigin_Allowlist — explicitly allowed origins pass even if cross-origin.
|
||||
func TestCheckOrigin_Allowlist(t *testing.T) {
|
||||
SetAllowedOrigins([]string{"http://evil.example.com:8090"})
|
||||
defer SetAllowedOrigins(nil) // reset
|
||||
|
||||
r := &http.Request{
|
||||
Header: http.Header{
|
||||
"Origin": []string{"http://evil.example.com:8090"},
|
||||
},
|
||||
Host: "localhost:8090",
|
||||
}
|
||||
if !checkOrigin(r) {
|
||||
t.Fatal("allowlisted origin should be allowed")
|
||||
}
|
||||
}
|
||||
|
||||
// TestCheckOrigin_AllowlistDoesNotMatch — non-allowlisted cross-origin is blocked.
|
||||
func TestCheckOrigin_AllowlistDoesNotMatch(t *testing.T) {
|
||||
SetAllowedOrigins([]string{"http://good.example.com"})
|
||||
defer SetAllowedOrigins(nil)
|
||||
|
||||
r := &http.Request{
|
||||
Header: http.Header{
|
||||
"Origin": []string{"http://evil.example.com"},
|
||||
},
|
||||
Host: "localhost:8090",
|
||||
}
|
||||
if checkOrigin(r) {
|
||||
t.Fatal("non-allowlisted cross-origin should be blocked")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user