X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/827879be023e90d58eb681b3c930154739a0b27f..b04638275cff9b393e1bc04136d44f361b999cf8:/services/keep-web/handler_test.go?ds=sidebyside

diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index 0c960b8c0e..86e1409391 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -18,6 +18,37 @@ var _ = check.Suite(&UnitSuite{})
 
 type UnitSuite struct{}
 
+func (s *UnitSuite) TestCORSPreflight(c *check.C) {
+	h := handler{Config: &Config{}}
+	u, _ := url.Parse("http://keep-web.example/c=" + arvadostest.FooCollection + "/foo")
+	req := &http.Request{
+		Method:     "OPTIONS",
+		Host:       u.Host,
+		URL:        u,
+		RequestURI: u.RequestURI(),
+		Header: http.Header{
+			"Origin":                        {"https://workbench.example"},
+			"Access-Control-Request-Method": {"POST"},
+		},
+	}
+
+	// Check preflight for an allowed request
+	resp := httptest.NewRecorder()
+	h.ServeHTTP(resp, req)
+	c.Check(resp.Code, check.Equals, http.StatusOK)
+	c.Check(resp.Body.String(), check.Equals, "")
+	c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
+	c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "GET, POST")
+	c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Range")
+
+	// Check preflight for a disallowed request
+	resp = httptest.NewRecorder()
+	req.Header.Set("Access-Control-Request-Method", "DELETE")
+	h.ServeHTTP(resp, req)
+	c.Check(resp.Body.String(), check.Equals, "")
+	c.Check(resp.Code, check.Equals, http.StatusMethodNotAllowed)
+}
+
 func mustParseURL(s string) *url.URL {
 	r, err := url.Parse(s)
 	if err != nil {