Merge pull request #88 from cjwatson/fix-referrer

Stop sending Referer on browser.open/browser.post

CHANGES.rst

@@ -5,7 +5,9 @@ CHANGES
 5.5.1 (unreleased)
 ------------------
 
-- Nothing changed yet.
+- Stop sending a ``Referer`` header when ``browser.open`` or
+  ``browser.post`` is called directly.  See `issue 87
+  <https://github.com/zopefoundation/zope.testbrowser/issues/87>`_.
 
 
 5.5.0 (2019-11-11)

src/zope/testbrowser/browser.py

@@ -136,6 +136,7 @@ class Browser(SetattrErrorsMixin):
     _response = None
     _req_headers = None
     _req_content_type = None
+    _req_referrer = None
     _history = None
     __html = None
 
@@ -195,6 +196,8 @@ def reload(self):
         def make_request(args):
             return self.testapp.request(self._response.request)
 
+        # _req_referrer is left intact, so will be the referrer (if any) of
+        # the request being reloaded.
         self._processRequest(self.url, make_request)
 
     def goBack(self, count=1):
@@ -239,7 +242,7 @@ def addHeader(self, key, value):
             raise ValueError('cookies are already set in `cookies` attribute')
         self._req_headers[key] = value
 
-    def open(self, url, data=None):
+    def open(self, url, data=None, referrer=None):
         """See zope.testbrowser.interfaces.IBrowser"""
         url = self._absoluteUrl(url)
         if data is not None:
@@ -249,11 +252,13 @@ def make_request(args):
             def make_request(args):
                 return self.testapp.get(url, **args)
 
+        self._req_referrer = referrer
         self._processRequest(url, make_request)
 
-    def post(self, url, data, content_type=None):
+    def post(self, url, data, content_type=None, referrer=None):
         if content_type is not None:
             self._req_content_type = content_type
+        self._req_referrer = referrer
         return self.open(url, data)
 
     def _clickSubmit(self, form, control=None, coord=None):
@@ -268,6 +273,7 @@ def make_request(args):
             def make_request(args):
                 return self._submit(form, coord=coord, **args)
 
+        self._req_referrer = self.url
         self._processRequest(url, make_request)
 
     def _processRequest(self, url, make_request):
@@ -278,6 +284,7 @@ def _processRequest(self, url, make_request):
                 remaining_redirects = 100  # infinite loops protection
                 while resp.status_int in REDIRECTS and remaining_redirects:
                     remaining_redirects -= 1
+                    self._req_referrer = url
                     url = urlparse.urljoin(url, resp.headers['location'])
                     with self._preparedRequest(url) as reqargs:
                         resp = self.testapp.get(url, **reqargs)
@@ -485,8 +492,8 @@ def _preparedRequest(self, url):
         self.timer.start()
 
         headers = {}
-        if self.url:
-            headers['Referer'] = self.url
+        if self._req_referrer is not None:
+            headers['Referer'] = self._req_referrer
 
         if self._req_content_type:
             headers['Content-Type'] = self._req_content_type
@@ -606,7 +613,7 @@ def __init__(self, link, browser, baseurl=""):
     def click(self):
         if self._browser_counter != self.browser._counter:
             raise interfaces.ExpiredError
-        self.browser.open(self.url)
+        self.browser.open(self.url, referrer=self.browser.url)
 
     @property
     def url(self):

src/zope/testbrowser/tests/test_browser.py

@@ -189,6 +189,27 @@ def test_SubmitControl_has_str_mechRepr(self):
         self.assertEqual(mech_repr, '<SubmitControl(sub1=Yës)>')
 
 
+def test_open_no_referrer(self):
+    """
+    Successive calls to open() do not send a referrer.
+
+    >>> app = YetAnotherTestApp()
+    >>> browser = Browser(wsgi_app=app)
+    >>> app.add_response(b'foo')
+    >>> app.add_response(b'bar')
+    >>> browser.open('http://localhost/')
+    >>> browser.contents
+    'foo'
+    >>> 'HTTP_REFERER' in app.last_environ
+    False
+    >>> browser.open('http://localhost/')
+    >>> browser.contents
+    'bar'
+    >>> 'HTTP_REFERER' in app.last_environ
+    False
+    """
+
+
 def test_relative_redirect(self):
     """
     >>> app = YetAnotherTestApp()
@@ -205,6 +226,8 @@ def test_relative_redirect(self):
     'found_it'
     >>> browser.url
     'https://localhost/foo/foundit'
+    >>> app.last_environ['HTTP_REFERER']
+    'https://localhost/foo/bar'
     """
 
 
@@ -224,6 +247,8 @@ def test_disable_following_redirects(self):
     '302 Found'
     >>> browser.headers['Location']
     'http://localhost/the_thing'
+    >>> 'HTTP_REFERER' in app.last_environ
+    False
     """
 
 
@@ -289,6 +314,8 @@ def test_redirect_after_reload():
     'http://localhost/the_thing'
     >>> browser.contents
     'The Thing'
+    >>> app.last_environ['HTTP_REFERER']
+    'http://localhost/'
 
     """
 
@@ -374,6 +401,8 @@ def test_reload_after_redirect():
     'Processed'
     >>> app.last_environ['REQUEST_METHOD']
     'GET'
+    >>> app.last_environ['HTTP_REFERER']
+    'http://localhost/submit'
     >>> print(app.last_input)
     <BLANKLINE>
 
@@ -385,6 +414,8 @@ def test_reload_after_redirect():
     'Reloaded'
     >>> app.last_environ['REQUEST_METHOD']
     'GET'
+    >>> app.last_environ['HTTP_REFERER']
+    'http://localhost/submit'
     >>> print(app.last_input)
     <BLANKLINE>
     """
@@ -1299,6 +1330,31 @@ def test_links_with_complicated_id(self):
     """
 
 
+def test_link_click_sends_referrer(self):
+    """
+    Clicking on a link sends the previous URL as the referrer.
+
+    >>> app = YetAnotherTestApp()
+    >>> browser = Browser(wsgi_app=app)
+    >>> app.add_response(b'''\
+    ... <html><body>
+    ...   <a href="/foo">Foo</a>
+    ... </body</html>
+    ... ''')
+    >>> app.add_response(b'foo')
+    >>> browser.open('http://localhost/')
+    >>> 'HTTP_REFERER' in app.last_environ
+    False
+    >>> browser.getLink(url='/foo').click()
+    >>> browser.contents
+    'foo'
+    >>> browser.url
+    'http://localhost/foo'
+    >>> app.last_environ['HTTP_REFERER']
+    'http://localhost/'
+    """
+
+
 def test_controls_without_value(self):
     """
     >>> app = TestApp()