Controller specs for JS actions (format: :js
) are failing with Rails 4.1.0.rc1 producing the following error:
ActionController::InvalidCrossOriginRequest:
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
I'm just guessing but this could be a new Rails feature that is affecting RSpec that probably generates those requests from a different domain then expected by the application.
You can reproduce this by cloning https://github.com/mezuro/mezuro, on the branch rails4.1, after bundle install
, run: rspec spec/controllers/repositories_controller_spec.rb
.
From observing this application I can as well say this affects GET requests while POST requests still working fine.
Running the application on the browser raises no errors or warnings as well as cucumber tests. And the tests with Rails 4.0.3 are OK. Also, I've tested this against rspec-rails 2.14.1 and 3.0.0.beta with the same results.
Thanks a lot!
Cause: rails/rails#13345
Based off the PR it would seem you need to do xhr :get
rather than get
, or manually pass the verification token. We don't directly implement the get
function, it's a part of the Rails test helpers so you should use their preferred method (xhr :get
).
Closing because this would fail on MiniTest too...
/cc @myronmarston @alindeman
Thanks @JonRowe, with xhr :get
it worked as expected. Sorry for the inconvenience.
No worries, I had to research this to figure out what was going on! :)
This is helpful
http://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#csrf-protection-from-remote-script-tags
Last update, now you can use:
(ruby)
get :action, xhr: true, format: :js
Most helpful comment
Last update, now you can use:
(ruby) get :action, xhr: true, format: :js