RubyGems - rack-cors - Versions diffs - 1.0.2 → 2.0.0 - Mend

rack-cors 1.0.2 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

checksums.yaml +5 -5
data/.rubocop.yml +31 -0
data/.travis.yml +10 -3
data/{CHANGELOG → CHANGELOG.md} +39 -0
data/Gemfile +3 -1
data/README.md +67 -42
data/Rakefile +5 -4
data/lib/rack/cors/resource.rb +132 -0
data/lib/rack/cors/resources/cors_misconfiguration_error.rb +14 -0
data/lib/rack/cors/resources.rb +62 -0
data/lib/rack/cors/result.rb +63 -0
data/lib/rack/cors/version.rb +3 -1
data/lib/rack/cors.rb +110 -345
data/rack-cors.gemspec +20 -16
data/test/.rubocop.yml +8 -0
data/test/cors/test.cors.coffee +9 -2
data/test/cors/test.cors.js +22 -10
data/test/unit/cors_test.rb +209 -151
data/test/unit/dsl_test.rb +30 -29
data/test/unit/insecure.ru +2 -0
data/test/unit/non_http.ru +2 -0
data/test/unit/test.ru +25 -19
metadata +81 -28

data/test/unit/cors_test.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'minitest/autorun'
 require 'rack/test'
 require 'mocha/setup'
@@ -7,7 +9,7 @@ require 'ostruct'
 Rack::Test::Session.class_eval do
   unless defined? :options
     def options(uri, params = {}, env = {}, &block)
-      env = env_for(uri, env.merge(:method => "OPTIONS", :params => params))
+      env = env_for(uri, env.merge(method: 'OPTIONS', params: params))
       process_request(uri, env, &block)
     end
   end
@@ -19,16 +21,16 @@ end
 module MiniTest::Assertions
   def assert_cors_success(response)
-  	assert !response.headers['Access-Control-Allow-Origin'].nil?, "Expected a successful CORS response"
+    assert !response.headers['Access-Control-Allow-Origin'].nil?, 'Expected a successful CORS response'
   end
   def assert_not_cors_success(response)
-  	assert response.headers['Access-Control-Allow-Origin'].nil?, "Expected a failed CORS response"
+    assert response.headers['Access-Control-Allow-Origin'].nil?, 'Expected a failed CORS response'
   end
 end
 class CaptureResult
-  def initialize(app, options =  {})
+  def initialize(app, options = {})
     @app = app
     @result_holder = options[:holder]
   end
@@ -36,7 +38,19 @@ class CaptureResult
   def call(env)
     response = @app.call(env)
     @result_holder.cors_result = env[Rack::Cors::RACK_CORS]
-    return response
+    response
+  end
+end
+class FakeProxy
+  def initialize(app, _options = {})
+    @app = app
+  end
+  def call(env)
+    status, headers, body = @app.call(env)
+    headers['vary'] = %w[Origin User-Agent]
+    [status, headers, body]
   end
 end
@@ -48,15 +62,16 @@ describe Rack::Cors do
   attr_accessor :cors_result
-  def load_app(name)
+  def load_app(name, options = {})
     test = self
     Rack::Builder.new do
-      use CaptureResult, :holder => test
+      use CaptureResult, holder: test
       eval File.read(File.dirname(__FILE__) + "/#{name}.ru")
+      use FakeProxy if options[:proxy]
       map('/') do
-        run proc { |env|
-          [200, {'Content-Type' => 'text/html'}, ['success']]
-        }
+        run(lambda do |_env|
+          [200, { 'Content-Type' => 'text/html' }, ['success']]
+        end)
       end
     end
   end
@@ -65,120 +80,135 @@ describe Rack::Cors do
   it 'should support simple CORS request' do
     successful_cors_request
-    cors_result.must_be :hit
+    _(cors_result).must_be :hit
   end
   it "should not return CORS headers if Origin header isn't present" do
     get '/'
-    last_response.wont_render_cors_success
-    cors_result.wont_be :hit
+    _(last_response).wont_render_cors_success
+    _(cors_result).wont_be :hit
   end
   it 'should support OPTIONS CORS request' do
-    successful_cors_request '/options', :method => :options
+    successful_cors_request '/options', method: :options
   end
   it 'should support regex origins configuration' do
-    successful_cors_request :origin => 'http://192.168.0.1:1234'
+    successful_cors_request origin: 'http://192.168.0.1:1234'
   end
   it 'should support subdomain example' do
-    successful_cors_request :origin => 'http://subdomain.example.com'
+    successful_cors_request origin: 'http://subdomain.example.com'
   end
   it 'should support proc origins configuration' do
-    successful_cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
+    successful_cors_request '/proc-origin', origin: 'http://10.10.10.10:3000'
   end
   it 'should support lambda origin configuration' do
-    successful_cors_request '/lambda-origin', :origin => 'http://10.10.10.10:3000'
+    successful_cors_request '/lambda-origin', origin: 'http://10.10.10.10:3000'
   end
   it 'should support proc origins configuration (inverse)' do
-    cors_request '/proc-origin', :origin => 'http://bad.guy'
-    last_response.wont_render_cors_success
+    cors_request '/proc-origin', origin: 'http://bad.guy'
+    _(last_response).wont_render_cors_success
   end
   it 'should not mix up path rules across origins' do
     header 'Origin', 'http://10.10.10.10:3000'
     get '/' # / is configured in a separate rule block
-    last_response.wont_render_cors_success
+    _(last_response).wont_render_cors_success
   end
   it 'should support alternative X-Origin header' do
     header 'X-Origin', 'http://localhost:3000'
     get '/'
-    last_response.must_render_cors_success
+    _(last_response).must_render_cors_success
   end
   it 'should support expose header configuration' do
     successful_cors_request '/expose_single_header'
-    last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test'
+    _(last_response.headers['Access-Control-Expose-Headers']).must_equal 'expose-test'
   end
   it 'should support expose multiple header configuration' do
     successful_cors_request '/expose_multiple_headers'
-    last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test-1, expose-test-2'
+    _(last_response.headers['Access-Control-Expose-Headers']).must_equal 'expose-test-1, expose-test-2'
   end
   # Explanation: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
   it "should add Vary header if resource matches even if Origin header isn't present" do
     get '/'
-    last_response.wont_render_cors_success
-    last_response.headers['Vary'].must_equal 'Origin'
+    _(last_response).wont_render_cors_success
+    _(last_response.headers['Vary']).must_equal 'Origin'
   end
-  it "should add Vary header based on :vary option" do
+  it 'should add Vary header based on :vary option' do
     successful_cors_request '/vary_test'
-    last_response.headers['Vary'].must_equal 'Origin, Host'
+    _(last_response.headers['Vary']).must_equal 'Origin, Host'
+  end
+  it 'decode URL and resolve paths before resource matching' do
+    header 'Origin', 'http://localhost:3000'
+    get '/public/a/..%2F..%2Fprivate/stuff'
+    _(last_response).wont_render_cors_success
+  end
+  describe 'with upstream Vary headers' do
+    let(:app) { load_app('test', { proxy: true }) }
+    it 'should add to them' do
+      successful_cors_request '/vary_test'
+      _(last_response.headers['Vary']).must_equal 'Origin, User-Agent, Host'
+    end
   end
   it 'should add Vary header if Access-Control-Allow-Origin header was added and if it is specific' do
-    successful_cors_request '/', :origin => "http://192.168.0.3:8080"
-    last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://192.168.0.3:8080'
-    last_response.headers['Vary'].wont_be_nil
+    successful_cors_request '/', origin: 'http://192.168.0.3:8080'
+    _(last_response.headers['Access-Control-Allow-Origin']).must_equal 'http://192.168.0.3:8080'
+    _(last_response.headers['Vary']).wont_be_nil
   end
   it 'should add Vary header even if Access-Control-Allow-Origin header was added and it is generic (*)' do
-    successful_cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
-    last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
-    last_response.headers['Vary'].must_equal 'Origin'
+    successful_cors_request '/public_without_credentials', origin: 'http://192.168.1.3:8080'
+    _(last_response.headers['Access-Control-Allow-Origin']).must_equal '*'
+    _(last_response.headers['Vary']).must_equal 'Origin'
   end
   it 'should support multi allow configurations for the same resource' do
-    successful_cors_request '/multi-allow-config', :origin => "http://mucho-grande.com"
-    last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://mucho-grande.com'
-    last_response.headers['Vary'].must_equal 'Origin'
+    successful_cors_request '/multi-allow-config', origin: 'http://mucho-grande.com'
+    _(last_response.headers['Access-Control-Allow-Origin']).must_equal 'http://mucho-grande.com'
+    _(last_response.headers['Vary']).must_equal 'Origin'
-    successful_cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
-    last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
-    last_response.headers['Vary'].must_equal 'Origin'
+    successful_cors_request '/multi-allow-config', origin: 'http://192.168.1.3:8080'
+    _(last_response.headers['Access-Control-Allow-Origin']).must_equal '*'
+    _(last_response.headers['Vary']).must_equal 'Origin'
   end
-  it "should not return CORS headers on OPTIONS request if Access-Control-Allow-Origin is not present" do
+  it 'should not return CORS headers on OPTIONS request if Access-Control-Allow-Origin is not present' do
     options '/get-only'
-    last_response.headers['Access-Control-Allow-Origin'].must_be_nil
+    _(last_response.headers['Access-Control-Allow-Origin']).must_be_nil
   end
-  it "should not apply CORS headers if it does not match conditional on resource" do
+  it 'should not apply CORS headers if it does not match conditional on resource' do
     header 'Origin', 'http://192.168.0.1:1234'
     get '/conditional'
-    last_response.wont_render_cors_success
+    _(last_response).wont_render_cors_success
   end
-  it "should apply CORS headers if it does match conditional on resource" do
+  it 'should apply CORS headers if it does match conditional on resource' do
     header 'X-OK', '1'
-    successful_cors_request '/conditional', :origin => 'http://192.168.0.1:1234'
+    successful_cors_request '/conditional', origin: 'http://192.168.0.1:1234'
   end
-  it "should not allow everything if Origin is configured as blank string" do
-    cors_request '/blank-origin', origin: "http://example.net"
-    last_response.wont_render_cors_success
+  it 'should not allow everything if Origin is configured as blank string' do
+    cors_request '/blank-origin', origin: 'http://example.net'
+    _(last_response).wont_render_cors_success
   end
-  it "should not allow credentials for public resources" do
+  it 'should not allow credentials for public resources' do
     successful_cors_request '/public'
-    last_response.headers['Access-Control-Allow-Credentials'].must_be_nil
+    _(last_response.headers['Access-Control-Allow-Credentials']).must_be_nil
   end
   describe 'logging' do
@@ -189,7 +219,7 @@ describe Rack::Cors do
       logger = mock
       logger.expects(:debug).never
-      cors = Rack::Cors.new(app, :debug => false, :logger => logger) {}
+      cors = Rack::Cors.new(app, debug: false, logger: logger) {}
       cors.send(:debug, {}, 'testing')
     end
@@ -200,7 +230,7 @@ describe Rack::Cors do
       logger = mock
       logger.expects(:debug)
-      cors = Rack::Cors.new(app, :debug => true, :logger => logger) {}
+      cors = Rack::Cors.new(app, debug: true, logger: logger) {}
       cors.send(:debug, {}, 'testing')
     end
@@ -211,8 +241,8 @@ describe Rack::Cors do
       logger = mock
       logger.expects(:debug).at_least_once
-      cors = Rack::Cors.new(app, :debug => true) {}
-      cors.call({'rack.logger' => logger, 'HTTP_ORIGIN' => 'test.com'})
+      cors = Rack::Cors.new(app, debug: true) {}
+      cors.call({ 'rack.logger' => logger, 'HTTP_ORIGIN' => 'test.com' })
     end
     it 'should use logger proc' do
@@ -222,8 +252,8 @@ describe Rack::Cors do
       logger = mock
       logger.expects(:debug)
-      cors = Rack::Cors.new(app, :debug => true, :logger => proc { logger }) {}
-      cors.call({'HTTP_ORIGIN' => 'test.com'})
+      cors = Rack::Cors.new(app, debug: true, logger: proc { logger }) {}
+      cors.call({ 'HTTP_ORIGIN' => 'test.com' })
     end
     describe 'with Rails setup' do
@@ -238,89 +268,118 @@ describe Rack::Cors do
         logger = mock
         logger.expects(:debug)
-        ::Rails = OpenStruct.new(:logger => logger)
+        ::Rails = OpenStruct.new(logger: logger)
-        cors = Rack::Cors.new(app, :debug => true) {}
-        cors.call({'HTTP_ORIGIN' => 'test.com'})
+        cors = Rack::Cors.new(app, debug: true) {}
+        cors.call({ 'HTTP_ORIGIN' => 'test.com' })
       end
     end
+    it 'should use Logger if none is set' do
+      app = mock
+      app.stubs(:call).returns([200, {}, ['']])
+      logger = mock
+      Logger.expects(:new).returns(logger)
+      logger.expects(:tap).returns(logger)
+      logger.expects(:debug)
+      cors = Rack::Cors.new(app, debug: true) {}
+      cors.call({ 'HTTP_ORIGIN' => 'test.com' })
+    end
   end
   describe 'preflight requests' do
     it 'should fail if origin is invalid' do
       preflight_request('http://allyourdataarebelongtous.com', '/')
-      last_response.wont_render_cors_success
-      cors_result.wont_be :hit
-      cors_result.must_be :preflight
+      _(last_response).wont_render_cors_success
+      _(cors_result).wont_be :hit
+      _(cors_result).must_be :preflight
     end
     it 'should fail if Access-Control-Request-Method is not allowed' do
-      preflight_request('http://localhost:3000', '/get-only', :method => :post)
-      last_response.wont_render_cors_success
-      cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_METHOD
-      cors_result.wont_be :hit
-      cors_result.must_be :preflight
+      preflight_request('http://localhost:3000', '/get-only', method: :post)
+      _(last_response).wont_render_cors_success
+      _(cors_result.miss_reason).must_equal Rack::Cors::Result::MISS_DENY_METHOD
+      _(cors_result).wont_be :hit
+      _(cors_result).must_be :preflight
     end
     it 'should fail if header is not allowed' do
-      preflight_request('http://localhost:3000', '/single_header', :headers => 'Fooey')
-      last_response.wont_render_cors_success
-      cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_HEADER
-      cors_result.wont_be :hit
-      cors_result.must_be :preflight
+      preflight_request('http://localhost:3000', '/single_header', headers: 'Fooey')
+      _(last_response).wont_render_cors_success
+      _(cors_result.miss_reason).must_equal Rack::Cors::Result::MISS_DENY_HEADER
+      _(cors_result).wont_be :hit
+      _(cors_result).must_be :preflight
     end
     it 'should allow any header if headers = :any' do
-      preflight_request('http://localhost:3000', '/', :headers => 'Fooey')
-      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', headers: 'Fooey')
+      _(last_response).must_render_cors_success
     end
     it 'should allow any method if methods = :any' do
-      preflight_request('http://localhost:3000', '/', :methods => :any)
-      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', methods: :any)
+      _(last_response).must_render_cors_success
+    end
+    it 'allows PATCH method' do
+      preflight_request('http://localhost:3000', '/', methods: [:patch])
+      _(last_response).must_render_cors_success
     end
     it 'should allow header case insensitive match' do
-      preflight_request('http://localhost:3000', '/single_header', :headers => 'X-Domain-Token')
-      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/single_header', headers: 'X-Domain-Token')
+      _(last_response).must_render_cors_success
     end
     it 'should allow multiple headers match' do
       # Webkit style
-      preflight_request('http://localhost:3000', '/two_headers', :headers => 'X-Requested-With, X-Domain-Token')
-      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/two_headers', headers: 'X-Requested-With, X-Domain-Token')
+      _(last_response).must_render_cors_success
       # Gecko style
-      preflight_request('http://localhost:3000', '/two_headers', :headers => 'x-requested-with,x-domain-token')
-      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/two_headers', headers: 'x-requested-with,x-domain-token')
+      _(last_response).must_render_cors_success
     end
-    it 'should * origin should allow any origin' do
+    it "should allow '*' origins to allow any origin" do
       preflight_request('http://locohost:3000', '/public')
-      last_response.must_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
+      _(last_response).must_render_cors_success
+      _(last_response.headers['Access-Control-Allow-Origin']).must_equal '*'
+    end
+    it "should allow '/<path>/' resource if match pattern is /<path>/*" do
+      preflight_request('http://localhost:3000', '/wildcard/')
+      _(last_response).must_render_cors_success
+      _(last_response.headers['Access-Control-Allow-Origin']).wont_equal nil
+    end
+    it "should allow '/<path>' resource if match pattern is /<path>/*" do
+      preflight_request('http://localhost:3000', '/wildcard')
+      _(last_response).must_render_cors_success
+      _(last_response.headers['Access-Control-Allow-Origin']).wont_equal nil
     end
-    it 'should * origin should allow any origin, and set * if no credentials required' do
+    it "should allow '*' origin to allow any origin, and set '*' if no credentials required" do
       preflight_request('http://locohost:3000', '/public_without_credentials')
-      last_response.must_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
+      _(last_response).must_render_cors_success
+      _(last_response.headers['Access-Control-Allow-Origin']).must_equal '*'
     end
     it 'should return "file://" as header with "file://" as origin' do
       preflight_request('file://', '/')
-      last_response.must_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].must_equal 'file://'
+      _(last_response).must_render_cors_success
+      _(last_response.headers['Access-Control-Allow-Origin']).must_equal 'file://'
     end
-    it 'should return a Content-Type' do
-      preflight_request('http://localhost:3000', '/')
-      last_response.must_render_cors_success
-      last_response.headers['Content-Type'].wont_be_nil
+    it 'supports custom protocols in origin' do
+      preflight_request('custom-protocol://abcdefg', '/')
+      _(last_response).must_render_cors_success
+      _(last_response.headers['Access-Control-Allow-Origin']).must_equal 'custom-protocol://abcdefg'
     end
     describe '' do
       let(:app) do
         test = self
         Rack::Builder.new do
@@ -328,36 +387,36 @@ describe Rack::Cors do
           use Rack::Cors, debug: true, logger: Logger.new(StringIO.new) do
             allow do
               origins '*'
-              resource '/', :methods => :post
+              resource '/', methods: :post
             end
           end
           map('/') do
-            run ->(env) { [500, {'Content-Type' => 'text/plain'}, ['FAIL!']] }
+            run ->(_env) { [500, {}, ['FAIL!']] }
           end
         end
       end
-      it "should not send failed preflight requests thru the app" do
-        preflight_request('http://localhost', '/', :method => :unsupported)
-        last_response.wont_render_cors_success
-        last_response.status.must_equal 200
-        cors_result.must_be :preflight
-        cors_result.wont_be :hit
-        cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_METHOD
+      it 'should not send failed preflight requests thru the app' do
+        preflight_request('http://localhost', '/', method: :unsupported)
+        _(last_response).wont_render_cors_success
+        _(last_response.status).must_equal 200
+        _(cors_result).must_be :preflight
+        _(cors_result).wont_be :hit
+        _(cors_result.miss_reason).must_equal Rack::Cors::Result::MISS_DENY_METHOD
       end
     end
   end
-  describe "with insecure configuration" do
+  describe 'with insecure configuration' do
     let(:app) { load_app('insecure') }
-    it "should raise an error" do
-      proc { cors_request '/public' }.must_raise Rack::Cors::Resource::CorsMisconfigurationError
+    it 'should raise an error' do
+      _(proc { cors_request '/public' }).must_raise Rack::Cors::Resource::CorsMisconfigurationError
     end
   end
-  describe "with non HTTP config" do
-    let(:app) { load_app("non_http") }
+  describe 'with non HTTP config' do
+    let(:app) { load_app('non_http') }
     it 'should support non http/https origins' do
       successful_cors_request '/public', origin: 'content://com.company.app'
@@ -369,13 +428,13 @@ describe Rack::Cors do
       @app ||= Rack::Builder.new do
         use Rack::Cors
         use Rack::Lint
-        run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+        run ->(_env) { [200, { 'Content-Type' => 'text/html' }, ['hello']] }
       end
     end
     it 'is lint-compliant with non-CORS request' do
       get '/'
-      last_response.status.must_equal 200
+      _(last_response.status).must_equal 200
     end
   end
@@ -389,19 +448,19 @@ describe Rack::Cors do
           end
         end
         map('/') do
-          run ->(env) { [200, {'Content-Type' => 'text/plain', 'Access-Control-Allow-Origin' => 'http://foo.net'}, ['success']] }
+          run ->(_env) { [200, { 'Access-Control-Allow-Origin' => 'http://foo.net' }, ['success']] }
         end
       end
     end
-    it "should return app header" do
-      successful_cors_request origin: "http://example.net"
-      last_response.headers['Access-Control-Allow-Origin'].must_equal "http://foo.net"
+    it 'should return app header' do
+      successful_cors_request origin: 'http://example.net'
+      _(last_response.headers['Access-Control-Allow-Origin']).must_equal 'http://foo.net'
     end
-    it "should return original headers if in debug" do
-      successful_cors_request origin: "http://example.net"
-      last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "*"
+    it 'should return original headers if in debug' do
+      successful_cors_request origin: 'http://example.net'
+      _(last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin']).must_equal '*'
     end
   end
@@ -415,14 +474,14 @@ describe Rack::Cors do
           end
         end
         map('/') do
-          run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+          run ->(_env) { [200, { 'Content-Type' => 'text/html' }, ['hello']] }
         end
       end
     end
     it 'should succeed with CORS simple headers' do
-      preflight_request('http://localhost:3000', '/', :headers => 'Accept')
-      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', headers: 'Accept')
+      _(last_response).must_render_cors_success
     end
   end
@@ -436,47 +495,46 @@ describe Rack::Cors do
           end
         end
         map('/') do
-          run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+          run ->(_env) { [200, { 'Content-Type' => 'text/html' }, ['hello']] }
         end
       end
     end
     it 'should succeed with CORS simple headers' do
-      preflight_request('http://localhost:3000', '/', :headers => 'Accept')
-      last_response.must_render_cors_success
-      preflight_request('http://localhost:3000', '/', :headers => 'Accept-Language')
-      last_response.must_render_cors_success
-      preflight_request('http://localhost:3000', '/', :headers => 'Content-Type')
-      last_response.must_render_cors_success
-      preflight_request('http://localhost:3000', '/', :headers => 'Content-Language')
-      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', headers: 'Accept')
+      _(last_response).must_render_cors_success
+      preflight_request('http://localhost:3000', '/', headers: 'Accept-Language')
+      _(last_response).must_render_cors_success
+      preflight_request('http://localhost:3000', '/', headers: 'Content-Type')
+      _(last_response).must_render_cors_success
+      preflight_request('http://localhost:3000', '/', headers: 'Content-Language')
+      _(last_response).must_render_cors_success
     end
   end
   protected
-    def cors_request(*args)
-      path = args.first.is_a?(String) ? args.first : '/'
-      opts = { :method => :get, :origin => 'http://localhost:3000' }
-      opts.merge! args.last if args.last.is_a?(Hash)
+  def cors_request(*args)
+    path = args.first.is_a?(String) ? args.first : '/'
-      header 'Origin', opts[:origin]
-      current_session.__send__ opts[:method], path, {}, test: self
-    end
+    opts = { method: :get, origin: 'http://localhost:3000' }
+    opts.merge! args.last if args.last.is_a?(Hash)
-    def successful_cors_request(*args)
-      cors_request(*args)
-      last_response.must_render_cors_success
-    end
+    header 'origin', opts[:origin]
+    current_session.__send__ opts[:method], path, {}, test: self
+  end
-    def preflight_request(origin, path, opts = {})
-      header 'Origin', origin
-      unless opts.key?(:method) && opts[:method].nil?
-        header 'Access-Control-Request-Method', opts[:method] ? opts[:method].to_s.upcase : 'GET'
-      end
-      if opts[:headers]
-        header 'Access-Control-Request-Headers', opts[:headers]
-      end
-      options path
+  def successful_cors_request(*args)
+    cors_request(*args)
+    _(last_response).must_render_cors_success
+  end
+  def preflight_request(origin, path, opts = {})
+    header 'Origin', origin
+    unless opts.key?(:method) && opts[:method].nil?
+      header 'Access-Control-Request-Method', opts[:method] ? opts[:method].to_s.upcase : 'GET'
     end
+    header 'Access-Control-Request-Headers', opts[:headers] if opts[:headers]
+    options path
+  end
 end