Rspec-rails: `format: :js` causes fails on Rails 4.1.0.rc1

Created on 9 Mar 2014  ·  6Comments  ·  Source: rspec/rspec-rails

Controller specs for JS actions (format: :js) are failing with Rails 4.1.0.rc1 producing the following error:

ActionController::InvalidCrossOriginRequest:
       Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.

I'm just guessing but this could be a new Rails feature that is affecting RSpec that probably generates those requests from a different domain then expected by the application.

You can reproduce this by cloning https://github.com/mezuro/mezuro, on the branch rails4.1, after bundle install, run: rspec spec/controllers/repositories_controller_spec.rb.

From observing this application I can as well say this affects GET requests while POST requests still working fine.

Running the application on the browser raises no errors or warnings as well as cucumber tests. And the tests with Rails 4.0.3 are OK. Also, I've tested this against rspec-rails 2.14.1 and 3.0.0.beta with the same results.

Thanks a lot!

picture rafamanzo
👍3

Most helpful comment

Last update, now you can use:
(ruby) get :action, xhr: true, format: :js

picture maguri on 4 Feb 2019
👍10 🎉21

All 6 comments

Cause: rails/rails#13345

JonRowe picture JonRowe on 12 Mar 2014

Based off the PR it would seem you need to do xhr :get rather than get, or manually pass the verification token. We don't directly implement the get function, it's a part of the Rails test helpers so you should use their preferred method (xhr :get).

Closing because this would fail on MiniTest too...

/cc @myronmarston @alindeman

JonRowe picture JonRowe on 12 Mar 2014
👍3

Thanks @JonRowe, with xhr :get it worked as expected. Sorry for the inconvenience.

rafamanzo picture rafamanzo on 12 Mar 2014

No worries, I had to research this to figure out what was going on! :)

JonRowe picture JonRowe on 12 Mar 2014

This is helpful
http://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#csrf-protection-from-remote-script-tags

amritdeep picture amritdeep on 8 Dec 2014
👍6

Last update, now you can use:
(ruby) get :action, xhr: true, format: :js

maguri picture maguri on 4 Feb 2019
👍10 🎉21
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dwightwatson picture dwightwatson  ·  3Comments
bibisreebi picture bibisreebi  ·  5Comments
povilasjurcys picture povilasjurcys  ·  3Comments
skizzybiz picture skizzybiz  ·  6Comments
oveddan picture oveddan  ·  5Comments