Validate an Origin header against explicit config or same-origin.
(
origin: str,
scope: dict[str, Any],
allowed_literal_origins: list[str],
allowed_origin_regex: Optional[re.Pattern[str]],
has_configured_allowed_origins: bool,
)
| 195 | |
| 196 | |
| 197 | def _is_request_origin_allowed( |
| 198 | origin: str, |
| 199 | scope: dict[str, Any], |
| 200 | allowed_literal_origins: list[str], |
| 201 | allowed_origin_regex: Optional[re.Pattern[str]], |
| 202 | has_configured_allowed_origins: bool, |
| 203 | ) -> bool: |
| 204 | """Validate an Origin header against explicit config or same-origin.""" |
| 205 | if has_configured_allowed_origins and _is_origin_allowed( |
| 206 | origin, allowed_literal_origins, allowed_origin_regex |
| 207 | ): |
| 208 | return True |
| 209 | |
| 210 | request_origin = _get_request_origin(scope) |
| 211 | if request_origin is None: |
| 212 | return False |
| 213 | return origin == request_origin |
| 214 | |
| 215 | |
| 216 | _SAFE_HTTP_METHODS = frozenset({"GET", "HEAD", "OPTIONS"}) |
no test coverage detected