diff options
Diffstat (limited to 'api/websocket_test.go')
-rw-r--r-- | api/websocket_test.go | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/api/websocket_test.go b/api/websocket_test.go index ab2959b03..d3d8fc4b2 100644 --- a/api/websocket_test.go +++ b/api/websocket_test.go @@ -316,6 +316,7 @@ func TestCreateDirectChannelWithSocket(t *testing.T) { func TestWebsocketOriginSecurity(t *testing.T) { Setup().InitBasic() + url := "ws://localhost" + utils.Cfg.ServiceSettings.ListenAddress // Should fail because origin doesn't match @@ -333,6 +334,35 @@ func TestWebsocketOriginSecurity(t *testing.T) { if err != nil { t.Fatal(err) } + + // Should succeed now because open CORS + *utils.Cfg.ServiceSettings.AllowCorsFrom = "*" + _, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ + "Origin": []string{"http://www.evil.com"}, + }) + if err != nil { + t.Fatal(err) + } + + // Should succeed now because matching CORS + *utils.Cfg.ServiceSettings.AllowCorsFrom = "www.evil.com" + _, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ + "Origin": []string{"http://www.evil.com"}, + }) + if err != nil { + t.Fatal(err) + } + + // Should fail because non-matching CORS + *utils.Cfg.ServiceSettings.AllowCorsFrom = "www.good.com" + _, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ + "Origin": []string{"http://www.evil.com"}, + }) + if err == nil { + t.Fatal("Should have errored because Origin contain AllowCorsFrom") + } + + *utils.Cfg.ServiceSettings.AllowCorsFrom = "" } func TestZZWebSocketTearDown(t *testing.T) { |