Remove forbidden headers from tests (#855)

adamchainz · web-flow · commit 0ab584798e11 · 2023-04-28T09:35:24.000+01:00
diff --git a/tests/test_middleware.py b/tests/test_middleware.py
@@ -73,11 +73,11 @@ def test_file_in_allowed_origins(self):
 
     @override_settings(
         CORS_ALLOW_ALL_ORIGINS=True,
-        CORS_EXPOSE_HEADERS=["accept", "origin", "content-type"],
+        CORS_EXPOSE_HEADERS=["accept", "content-type"],
     )
     def test_get_expose_headers(self):
         resp = self.client.get("/", HTTP_ORIGIN="http://example.com")
-        assert resp[ACCESS_CONTROL_EXPOSE_HEADERS] == "accept, origin, content-type"
+        assert resp[ACCESS_CONTROL_EXPOSE_HEADERS] == "accept, content-type"
 
     @override_settings(CORS_ALLOW_ALL_ORIGINS=True)
     def test_get_dont_expose_headers(self):
@@ -95,7 +95,7 @@ def test_get_dont_allow_credentials(self):
         assert ACCESS_CONTROL_ALLOW_CREDENTIALS not in resp
 
     @override_settings(
-        CORS_ALLOW_HEADERS=["content-type", "origin"],
+        CORS_ALLOW_HEADERS=["content-type"],
         CORS_ALLOW_METHODS=["GET", "OPTIONS"],
         CORS_PREFLIGHT_MAX_AGE=1002,
         CORS_ALLOW_ALL_ORIGINS=True,
@@ -107,12 +107,12 @@ def test_options_allowed_origin(self):
             HTTP_ACCESS_CONTROL_REQUEST_METHOD="GET",
         )
         assert resp.status_code == HTTPStatus.OK
-        assert resp[ACCESS_CONTROL_ALLOW_HEADERS] == "content-type, origin"
+        assert resp[ACCESS_CONTROL_ALLOW_HEADERS] == "content-type"
         assert resp[ACCESS_CONTROL_ALLOW_METHODS] == "GET, OPTIONS"
         assert resp[ACCESS_CONTROL_MAX_AGE] == "1002"
 
     @override_settings(
-        CORS_ALLOW_HEADERS=["content-type", "origin"],
+        CORS_ALLOW_HEADERS=["content-type"],
         CORS_ALLOW_METHODS=["GET", "OPTIONS"],
         CORS_PREFLIGHT_MAX_AGE=1002,
         CORS_ALLOW_ALL_ORIGINS=True,
@@ -124,12 +124,12 @@ async def test_async_options_allowed_origin(self):
             access_control_request_method="GET",
         )
         assert resp.status_code == HTTPStatus.OK
-        assert resp[ACCESS_CONTROL_ALLOW_HEADERS] == "content-type, origin"
+        assert resp[ACCESS_CONTROL_ALLOW_HEADERS] == "content-type"
         assert resp[ACCESS_CONTROL_ALLOW_METHODS] == "GET, OPTIONS"
         assert resp[ACCESS_CONTROL_MAX_AGE] == "1002"
 
     @override_settings(
-        CORS_ALLOW_HEADERS=["content-type", "origin"],
+        CORS_ALLOW_HEADERS=["content-type"],
         CORS_ALLOW_METHODS=["GET", "OPTIONS"],
         CORS_PREFLIGHT_MAX_AGE=0,
         CORS_ALLOW_ALL_ORIGINS=True,
@@ -140,7 +140,7 @@ def test_options_no_max_age(self):
             HTTP_ORIGIN="http://example.com",
             HTTP_ACCESS_CONTROL_REQUEST_METHOD="GET",
         )
-        assert resp[ACCESS_CONTROL_ALLOW_HEADERS] == "content-type, origin"
+        assert resp[ACCESS_CONTROL_ALLOW_HEADERS] == "content-type"
         assert resp[ACCESS_CONTROL_ALLOW_METHODS] == "GET, OPTIONS"
         assert ACCESS_CONTROL_MAX_AGE not in resp
 
