ActionController::InvalidCrossOriginRequest in Controller Test

Question

When running legacy controller tests like this one:

    get :edit, id: object.id, format: :js

My tests began failing in Rails 4.1 with the following error:

ActionController::InvalidCrossOriginRequest: Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.

score 51 · Accepted Answer · answered May 05 '17 at 20:39

51

For Rails 5+

get :edit, params: { id: object.id }, xhr: true

answered May 05 '17 at 20:39

John Pollard

3,729
3
24
50

Hi, which file should this code go in? `routes.rb`? – alex Dec 10 '18 at 23:25
No this goes in your test files whenever you are calling a javascript request (like AJAX) in your tests. – John Pollard Dec 13 '18 at 01:55
Ah, I see. My ICOR was in production, rather than in tests. – alex Dec 13 '18 at 08:54

score 40 · Answer 2 · answered Jul 23 '14 at 19:13

40

Older versions of Rails accepted this, but the solution was to use the xhr method as follows:

  xhr :get, :edit, id: object.id

answered Jul 23 '14 at 19:13

Tom Rossi

11,604
5
65
96

5

This syntax has changed to `get edit_url(object), xhr: true` in Rails 5. – Michael Chaney Oct 26 '16 at 21:58

ActionController::InvalidCrossOriginRequest in Controller Test

2 Answers2