Files
xlgo-core/ws/ws_origin_internal_test.go
2026-07-14 10:24:10 +08:00

78 lines
2.3 KiB
Go
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
package ws
import (
"crypto/tls"
"net/http"
"net/http/httptest"
"testing"
)
// TestSameOriginCheck_C7 验证默认 CheckOrigin 同源校验(防 CSWSH):
// 空 Origin 放行(非浏览器)、同源放行、跨域拒绝。
func TestSameOriginCheck_C7(t *testing.T) {
cases := []struct {
name string
origin string
host string
want bool
}{
{"empty origin (non-browser)", "", "example.com", true},
{"same origin", "http://example.com", "example.com", true},
{"scheme mismatch", "https://example.com", "example.com", false},
{"cross origin", "https://evil.com", "example.com", false},
{"origin with port same", "http://example.com:8080", "example.com:8080", true},
{"origin with port diff", "http://example.com:8080", "example.com:9090", false},
{"malformed origin", "://bad", "example.com", false},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
req := httptest.NewRequest(http.MethodGet, "/", nil)
if tc.origin != "" {
req.Header.Set("Origin", tc.origin)
}
req.Host = tc.host
got := sameOriginCheck(req)
if got != tc.want {
t.Errorf("sameOriginCheck origin=%q host=%q = %v, want %v", tc.origin, tc.host, got, tc.want)
}
})
}
}
func TestSameOriginCheckHTTPS_C7(t *testing.T) {
req := httptest.NewRequest(http.MethodGet, "https://example.com/ws", nil)
req.TLS = &tls.ConnectionState{}
req.Header.Set("Origin", "https://example.com")
if !sameOriginCheck(req) {
t.Fatal("sameOriginCheck should allow matching https origin for TLS request")
}
req.Header.Set("Origin", "http://example.com")
if sameOriginCheck(req) {
t.Fatal("sameOriginCheck should reject origin with mismatched scheme")
}
}
// TestAllowOrigins_C7AllowOrigins 仅放行白名单 Origin。
func TestAllowOrigins_C7(t *testing.T) {
check := AllowOrigins("https://a.com", "https://b.com")
cases := []struct {
origin string
want bool
}{
{"", true}, // 非浏览器放行
{"https://a.com", true}, // 白名单
{"https://b.com", true}, // 白名单
{"https://evil.com", false},
{"http://a.com", false}, // scheme 不符
}
for _, tc := range cases {
req := httptest.NewRequest(http.MethodGet, "/", nil)
if tc.origin != "" {
req.Header.Set("Origin", tc.origin)
}
if got := check(req); got != tc.want {
t.Errorf("AllowOrigins origin=%q = %v, want %v", tc.origin, got, tc.want)
}
}
}