From ac79948aaa5a83a1eae605e998da60f3103df2ef Mon Sep 17 00:00:00 2001
From: Matteo Centenaro <bugant@gmail.com>
Date: Mon, 8 Apr 2013 11:15:32 +0200
Subject: [PATCH] Add regression test for issue #50

Running specs you get

Failures:

  1) Rack::Protection::JsonCsrf with drop_session as default reaction reset the session
     Failure/Error: get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
     NoMethodError:
       undefined method `detect' for nil:NilClass
     # ./lib/rack/protection/base.rb:107:in `html?'
     # ./lib/rack/protection/frame_options.rb:32:in `call'
     # ./spec/json_csrf_spec.rb:54:in `block (3 levels) in <top (required)>'
---
 rack-protection/spec/json_csrf_spec.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/rack-protection/spec/json_csrf_spec.rb b/rack-protection/spec/json_csrf_spec.rb
index 1abb4c0c..0b293dc8 100644
--- a/rack-protection/spec/json_csrf_spec.rb
+++ b/rack-protection/spec/json_csrf_spec.rb
@@ -31,6 +31,7 @@ describe Rack::Protection::JsonCsrf do
     it "accepts XHR requests" do
       get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
     end
+
   end
 
   describe 'not json response' do
@@ -41,4 +42,18 @@ describe Rack::Protection::JsonCsrf do
     end
 
   end
+
+  describe 'with drop_session as default reaction' do
+    it 'reset the session' do
+      mock_app do
+        use Rack::Protection, :reaction => :drop_session
+        run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
+      end
+
+      session = {:foo => :bar}
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
+      last_response.should be_ok
+      session.should be_empty
+    end
+  end
 end