improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

#-*- encoding: utf-8 -*-
import unittest

from roundup import mailer

class EncodingTestCase(unittest.TestCase):
    def testEncoding(self):
        a = lambda n, a, c, o: self.assertEqual(mailer.nice_sender_header(n,
            a, c), o)
        a('ascii', 'ascii@test.com', 'iso8859-1', 'ascii <ascii@test.com>')
        a(u'café', 'ascii@test.com', 'iso8859-1',
            '=?iso8859-1?q?caf=E9?= <ascii@test.com>')
        a(u'café', 'ascii@test.com', 'utf-8',
            '=?utf-8?b?Y2Fmw6k=?= <ascii@test.com>')
        a('as"ii', 'ascii@test.com', 'iso8859-1', '"as\\"ii" <ascii@test.com>')

# vim: set et sts=4 sw=4 :