From ae99816d2e788a9665414b966b6c2e4cdb65e172 Mon Sep 17 00:00:00 2001
From: Ramana Rao <treerao@gmail.com>
Date: Wed, 8 Jul 2015 02:04:10 +0000
Subject: [PATCH 1/3] fix check for cors allow credentials

---
 cornice/cors.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cornice/cors.py b/cornice/cors.py
index 77311661..b27a91e3 100644
--- a/cornice/cors.py
+++ b/cornice/cors.py
@@ -96,8 +96,7 @@ def ensure_origin(service, request, response=None):
                         for o in service.cors_origins_for(method)]):
                 request.errors.add('header', 'Origin',
                                    '%s not allowed' % origin)
-            elif request.headers.get(
-                    'Access-Control-Allow-Credentials', False):
+            elif service.cors_support_credentials_for(method):
                 response.headers['Access-Control-Allow-Origin'] = origin
             else:
                 if any([o == "*" for o in service.cors_origins_for(method)]):

From bff02a7e07b261a895826dad41c815ef00e6d83b Mon Sep 17 00:00:00 2001
From: Ramana Rao <treerao@gmail.com>
Date: Wed, 8 Jul 2015 04:48:24 +0000
Subject: [PATCH 2/3] remove incorrect

---
 cornice/tests/test_cors.py | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/cornice/tests/test_cors.py b/cornice/tests/test_cors.py
index dd126d38..2cc0c430 100644
--- a/cornice/tests/test_cors.py
+++ b/cornice/tests/test_cors.py
@@ -228,15 +228,6 @@ def test_resp_dont_include_allow_origin(self):
         self.assertNotIn('Access-Control-Allow-Origin', resp.headers)
         self.assertEqual(resp.json, 'squirels')
 
-    def test_resp_allow_origin_wildcard(self):
-        resp = self.app.options(
-            '/cors_klass',
-            status=200,
-            headers={
-                'Origin': 'lolnet.org',
-                'Access-Control-Request-Method': 'POST'})
-        self.assertEqual(resp.headers['Access-Control-Allow-Origin'], '*')
-
     def test_origin_is_not_wildcard_if_allow_credentials(self):
         resp = self.app.options(
             '/cors_klass',
@@ -244,7 +235,6 @@ def test_origin_is_not_wildcard_if_allow_credentials(self):
             headers={
                 'Origin': 'lolnet.org',
                 'Access-Control-Request-Method': 'POST',
-                'Access-Control-Allow-Credentials': 'true'
             })
         self.assertEqual(resp.headers['Access-Control-Allow-Origin'],
                          'lolnet.org')

From e3e3f09a9ec4dcff7a0562dd716a11c7b6611c43 Mon Sep 17 00:00:00 2001
From: Ramana Rao <treerao@gmail.com>
Date: Tue, 28 Jul 2015 15:09:01 +0000
Subject: [PATCH 3/3] check that expected AC-Allow-Credentials=true in fixed
 test

---
 cornice/tests/test_cors.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cornice/tests/test_cors.py b/cornice/tests/test_cors.py
index 2cc0c430..bcb755e6 100644
--- a/cornice/tests/test_cors.py
+++ b/cornice/tests/test_cors.py
@@ -238,6 +238,8 @@ def test_origin_is_not_wildcard_if_allow_credentials(self):
             })
         self.assertEqual(resp.headers['Access-Control-Allow-Origin'],
                          'lolnet.org')
+        self.assertEqual(resp.headers['Access-Control-Allow-Credentials'],
+                         'true')
 
     def test_responses_include_an_allow_origin_header(self):
         resp = self.app.get('/squirel', headers={'Origin': 'notmyidea.org'})