Originally posted by **matthewmcgarvey** January 26, 2022
Right now, flow specs work because they use Chrome (headlessly). In my work to add an in-memory version, we lose the ability to run javascript. That means we lose the ability for the javascript layer to add on csrf tokens to requests. This causes requests to fail.
In looking at how Capybara deals with this, I found that Rails disables CSRF protection in the test environment
https://github.com/rails/rails/blob/1438c0416fed98b20475b0cbe0c8e3965705cad0/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt#L34
I think we should do something similar. At least, we could add a setting to allow disabling it.
The setting would be used here: https://github.com/luckyframework/lucky/blob/48d8f7b30367dd405e2bf78e1a2d797235bc82c3/src/lucky/protect_from_forgery.cr#L19-L26
Discussed in https://github.com/luckyframework/lucky/discussions/1655