1 files changed, 31 insertions, 0 deletions

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index d56241f9cd..d3f2ec6aa1 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -407,6 +407,37 @@ module RequestForgeryProtectionTests
     end
   end
 
+  def test_should_warn_on_not_same_origin_js
+    old_logger = ActionController::Base.logger
+    logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
+    ActionController::Base.logger = logger
+
+    begin
+      assert_cross_origin_blocked { get :same_origin_js }
+
+      assert_equal 1, logger.logged(:warn).size
+      assert_match(/<script> tag on another site requested protected JavaScript/, logger.logged(:warn).last)
+    ensure
+      ActionController::Base.logger = old_logger
+    end
+  end
+
+  def test_should_not_warn_if_csrf_logging_disabled_and_not_same_origin_js
+    old_logger = ActionController::Base.logger
+    logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
+    ActionController::Base.logger = logger
+    ActionController::Base.log_warning_on_csrf_failure = false
+
+    begin
+      assert_cross_origin_blocked { get :same_origin_js }
+
+      assert_equal 0, logger.logged(:warn).size
+    ensure
+      ActionController::Base.logger = old_logger
+      ActionController::Base.log_warning_on_csrf_failure = true
+    end
+  end
+
   # Allow non-GET requests since GET is all a remote <script> tag can muster.
   def test_should_allow_non_get_js_without_xhr_header
     session[:_csrf_token] = @token