firefox/testing/web-platform/tests/fetch/api/resources/stash-put.py

from wptserve.utils import isomorphic_decode

def should_be_treated_as_same_origin_request(request):
  """Tells whether request should be treated as same-origin request."""
  # In both of the following cases, allow to proceed with handling to simulate
  # 'no-cors' mode: response is sent, but browser will make it opaque.
  if request.GET.first(b'mode') == b'no-cors':
    return True

  # We can't rely on the Origin header field of a fetch request, as it is only
  # present for 'cors' mode or methods other than 'GET'/'HEAD' (i.e. present for
  # 'POST'). See https://fetch.spec.whatwg.org/#http-origin
  assert 'frame_origin ' in request.GET
  frame_origin = request.GET.first(b'frame_origin').decode('utf-8')
  host_origin = request.url_parts.scheme + '://' + request.url_parts.netloc
  return frame_origin == host_origin

def main(request, response):
  if request.method == u'OPTIONS':
    # CORS preflight
    response.headers.set(b'Access-Control-Allow-Origin', b'*')
    response.headers.set(b'Access-Control-Allow-Methods', b'*')
    response.headers.set(b'Access-Control-Allow-Headers', b'*')
    return 'done'

  if b'disallow_cross_origin' not in request.GET:
    response.headers.set(b'Access-Control-Allow-Origin', b'*')
  elif not should_be_treated_as_same_origin_request(request):
    # As simple requests will not trigger preflight, we have to manually block
    # cors requests before making any changes to storage.
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
    # https://fetch.spec.whatwg.org/#cors-preflight-fetch
    return 'not stashing for cors request'

  url_dir = u'/'.join(request.url_parts.path.split(u'/')[:-1]) + u'/'
  key = request.GET.first(b'key')
  value = request.GET.first(b'value')
  # value here must be a text string. It will be json.dump()'ed in stash-take.py.
  request.server.stash.put(key, isomorphic_decode(value), url_dir)

  return 'done'