Merge pull request #278 from mozilla-services/fix_cors_expose_headers

Wrong if clause that passed even if wrong on Python 2.*
Cornices · Feb 26, 2015 · df5b558 · df5b558
2 parents ef50391 + 2c9f0ca
commit df5b558
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/cornice/cors.py b/cornice/cors.py
@@ -125,7 +125,7 @@ def apply_cors_post_request(service, request, response):
             'Access-Control-Allow-Credentials' not in response.headers):
         response.headers['Access-Control-Allow-Credentials'] = 'true'
 
-    if request.method is not 'OPTIONS':
+    if request.method != 'OPTIONS':
         # Which headers are exposed?
         supported_headers = service.cors_supported_headers
         if supported_headers:

diff --git a/cornice/tests/test_cors.py b/cornice/tests/test_cors.py
@@ -139,6 +139,14 @@ def test_preflight_missing_origin(self):
             status=400)
         self.assertEqual(len(resp.json['errors']), 1)
 
+    def test_preflight_does_not_expose_headers(self):
+        resp = self.app.options(
+            '/squirel',
+            headers={'Access-Control-Request-Method': 'GET',
+                     'Origin': 'notmyidea.org'},
+            status=200)
+        self.assertNotIn('Access-Control-Expose-Headers', resp.headers)
+
     def test_preflight_missing_request_method(self):
 
         resp = self.app.options(