CSRF: accept cross-site request if origin is in the CORS allowed origin list

2025-12-21 10:48:29 +00:00
parent a99b658c3f
commit ba6893ca0f
2 changed files with 27 additions and 17 deletions
--- a/tests/test_csrf.py
+++ b/tests/test_csrf.py
@@ -203,10 +203,6 @@ class TestCSRF(unittest.TestCase):

        res = self._run(client.get('/'))
        self.assertEqual(res.status_code, 204)
-        res = self._run(client.get(
-            '/', headers={'Origin': 'foo.com'}
-        ))
-        self.assertEqual(res.status_code, 204)
        res = self._run(client.get(
            '/', headers={'Origin': 'http://foo.com'}
        ))
@@ -230,6 +226,26 @@ class TestCSRF(unittest.TestCase):
            '/submit', headers={'Origin': 'http://bar.com:8888'}
        ))
        self.assertEqual(res.status_code, 403)
+        res = self._run(client.post(
+            '/submit', headers={
+                'Sec-Fetch-Site': 'cross-site',
+                'Origin': 'https://bar.com:8888',
+            },
+        ))
+        self.assertEqual(res.status_code, 204)
+        res = self._run(client.post(
+            '/submit', headers={
+                'Sec-Fetch-Site': 'cross-site',
+                'Origin': 'https://bar.com:8889',
+            },
+        ))
+        self.assertEqual(res.status_code, 403)
+        res = self._run(client.post(
+            '/submit', headers={
+                'Sec-Fetch-Site': 'cross-site',
+            },
+        ))
+        self.assertEqual(res.status_code, 403)
        res = self._run(client.post(
            '/submit', headers={'Origin': 'https://x.y.bar.com:8888'}
        ))
@@ -257,10 +273,6 @@ class TestCSRF(unittest.TestCase):

        res = self._run(client.get('/'))
        self.assertEqual(res.status_code, 204)
-        res = self._run(client.get(
-            '/', headers={'Origin': 'foo.com'}
-        ))
-        self.assertEqual(res.status_code, 204)
        res = self._run(client.get(
            '/', headers={'Origin': 'http://foo.com'}
        ))