From 7f939358c5f7df720a78169ef03aba46d5ed47ed Mon Sep 17 00:00:00 2001
From: Sean Doyle <sean.p.doyle24@gmail.com>
Date: Tue, 29 Oct 2024 10:13:09 -0400
Subject: [PATCH] Include CSRF `<meta>` elements in frame layout

Closes [#669][]

If a response to a request with the `Turbo-Frame:` header does not
include the `<meta>` elements in the `<html>` document, it's likely that
the browser will remove any `<meta>` element present after handling
navigating the `<turbo-frame>` that originated the request.

In support of testing this behavior, this commit enables CSRF protection
in the test suite.
---
 app/views/layouts/turbo_rails/frame.html.erb         | 1 +
 test/dummy/app/controllers/application_controller.rb | 1 +
 test/dummy/config/environments/test.rb               | 2 +-
 test/frames/frame_request_controller_test.rb         | 2 ++
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/views/layouts/turbo_rails/frame.html.erb b/app/views/layouts/turbo_rails/frame.html.erb
index 0171671e..4241534d 100644
--- a/app/views/layouts/turbo_rails/frame.html.erb
+++ b/app/views/layouts/turbo_rails/frame.html.erb
@@ -1,5 +1,6 @@
 <html>
   <head>
+    <%= csrf_meta_tags %>
     <%= yield :head %>
   </head>
   <body>
diff --git a/test/dummy/app/controllers/application_controller.rb b/test/dummy/app/controllers/application_controller.rb
index 09705d12..e8065d95 100644
--- a/test/dummy/app/controllers/application_controller.rb
+++ b/test/dummy/app/controllers/application_controller.rb
@@ -1,2 +1,3 @@
 class ApplicationController < ActionController::Base
+  protect_from_forgery
 end
diff --git a/test/dummy/config/environments/test.rb b/test/dummy/config/environments/test.rb
index a482563f..af13e885 100644
--- a/test/dummy/config/environments/test.rb
+++ b/test/dummy/config/environments/test.rb
@@ -28,7 +28,7 @@
   config.action_dispatch.show_exceptions = :none
 
   # Disable request forgery protection in test environment.
-  config.action_controller.allow_forgery_protection = false
+  config.action_controller.allow_forgery_protection = true
 
   # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
diff --git a/test/frames/frame_request_controller_test.rb b/test/frames/frame_request_controller_test.rb
index 41b1c512..72805297 100644
--- a/test/frames/frame_request_controller_test.rb
+++ b/test/frames/frame_request_controller_test.rb
@@ -14,6 +14,8 @@ class Turbo::FrameRequestControllerTest < ActionDispatch::IntegrationTest
 
     assert_select "head", count: 1
     assert_select "meta[name=test][content=present]"
+    assert_select "meta[name=csrf-param]"
+    assert_select "meta[name=csrf-token]"
   end
 
   test "frame request layout can be overridden" do