diff --git a/test/example-app.js b/test/example-app.js index 89676d9..9cacb3c 100644 --- a/test/example-app.js +++ b/test/example-app.js @@ -4,10 +4,12 @@ var express = require('express'), supertest = require('supertest'), - cors = require('../lib'); + cors = require('../lib'), + path = require('path'); var simpleApp, - complexApp; + complexApp, + fontApp; /* -------------------------------------------------------------------------- */ @@ -32,6 +34,19 @@ /* -------------------------------------------------------------------------- */ + fontApp = express(); + // Apply CORS middleware before static files with dynamic origins from env + var allowedOrigins = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',') : ['https://myurl.com']; + fontApp.use(cors({ + origin: allowedOrigins, + methods: ['GET', 'POST', 'DELETE', 'UPDATE', 'PUT', 'PATCH', 'OPTIONS'], + allowedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept'] + })); + // Serve static files from 'support' directory (fonts) + fontApp.use(express.static(path.join(__dirname, 'support'))); + + /* -------------------------------------------------------------------------- */ + describe('example app(s)', function () { describe('simple methods', function () { it('GET works', function (done) { @@ -76,6 +91,57 @@ .end(done) }); }); + + describe('font static files', function () { + it('serves .woff files with CORS headers', function (done) { + supertest(fontApp) + .get('/font.woff') + .set('Origin', 'https://myurl.com') + .expect(200) + .expect('Access-Control-Allow-Origin', 'https://myurl.com') + .end(done); + }); + + it('serves .ttf files with CORS headers', function (done) { + supertest(fontApp) + .get('/font.ttf') + .set('Origin', 'https://myurl.com') + .expect(200) + .expect('Access-Control-Allow-Origin', 'https://myurl.com') + .end(done); + }); + + it('serves .otf files with CORS headers', function (done) { + supertest(fontApp) + .get('/font.otf') + .set('Origin', 'https://myurl.com') + .expect(200) + .expect('Access-Control-Allow-Origin', 'https://myurl.com') + .end(done); + }); + + it('serves .woff2 files with CORS headers', function (done) { + supertest(fontApp) + .get('/font.woff2') + .set('Origin', 'https://myurl.com') + .expect(200) + .expect('Access-Control-Allow-Origin', 'https://myurl.com') + .end(done); + }); + + it('blocks font requests from disallowed origins', function (done) { + supertest(fontApp) + .get('/font.woff') + .set('Origin', 'https://badorigin.com') + .expect(200) // Static file still served, but without CORS header + .expect(function (res) { + if (res.headers['access-control-allow-origin']) { + throw new Error('CORS header should not be present for disallowed origin'); + } + }) + .end(done); + }); + }); }); }()); diff --git a/test/font-cors.js b/test/font-cors.js new file mode 100644 index 0000000..8b82b1b --- /dev/null +++ b/test/font-cors.js @@ -0,0 +1,80 @@ +(function () { + + 'use strict'; + + var express = require('express'), + supertest = require('supertest'), + cors = require('../lib'), + path = require('path'); + + var app; + + /* -------------------------------------------------------------------------- */ + + app = express(); + + // Apply CORS middleware before static files with dynamic origins from env + var allowedOrigins = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',') : ['https://myurl.com']; + app.use(cors({ + origin: allowedOrigins, + methods: ['GET', 'POST', 'DELETE', 'UPDATE', 'PUT', 'PATCH', 'OPTIONS'], + allowedHeaders: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept'] + })); + + // Serve static files from 'public' directory + app.use(express.static(path.join(__dirname, 'support'))); // Assuming fonts are in test/support + + /* -------------------------------------------------------------------------- */ + + describe('font CORS', function () { + it('serves .woff files with CORS headers', function (done) { + supertest(app) + .get('/font.woff') + .set('Origin', 'https://myurl.com') + .expect(200) + .expect('Access-Control-Allow-Origin', 'https://myurl.com') + .end(done); + }); + + it('serves .ttf files with CORS headers', function (done) { + supertest(app) + .get('/font.ttf') + .set('Origin', 'https://myurl.com') + .expect(200) + .expect('Access-Control-Allow-Origin', 'https://myurl.com') + .end(done); + }); + + it('serves .otf files with CORS headers', function (done) { + supertest(app) + .get('/font.otf') + .set('Origin', 'https://myurl.com') + .expect(200) + .expect('Access-Control-Allow-Origin', 'https://myurl.com') + .end(done); + }); + + it('serves .woff2 files with CORS headers', function (done) { + supertest(app) + .get('/font.woff2') + .set('Origin', 'https://myurl.com') + .expect(200) + .expect('Access-Control-Allow-Origin', 'https://myurl.com') + .end(done); + }); + + it('blocks font requests from disallowed origins', function (done) { + supertest(app) + .get('/font.woff') + .set('Origin', 'https://badorigin.com') + .expect(200) // Static file still served, but without CORS header + .expect(function (res) { + if (res.headers['access-control-allow-origin']) { + throw new Error('CORS header should not be present for disallowed origin'); + } + }) + .end(done); + }); + }); + +}()); diff --git a/test/support/font.otf b/test/support/font.otf new file mode 100644 index 0000000..3159752 --- /dev/null +++ b/test/support/font.otf @@ -0,0 +1 @@ +dummy otf content diff --git a/test/support/font.ttf b/test/support/font.ttf new file mode 100644 index 0000000..d663cb8 --- /dev/null +++ b/test/support/font.ttf @@ -0,0 +1 @@ +dummy ttf content diff --git a/test/support/font.woff b/test/support/font.woff new file mode 100644 index 0000000..c882ab6 --- /dev/null +++ b/test/support/font.woff @@ -0,0 +1 @@ +dummy woff content diff --git a/test/support/font.woff2 b/test/support/font.woff2 new file mode 100644 index 0000000..47375c0 --- /dev/null +++ b/test/support/font.woff2 @@ -0,0 +1 @@ +dummy woff2 content diff --git a/test/support/static.txt b/test/support/static.txt new file mode 100644 index 0000000..877bb0b --- /dev/null +++ b/test/support/static.txt @@ -0,0 +1 @@ +This is a static file for testing CORS.