Add test to assert that POST is not simple top-level navigation
diff --git a/wicket-core-tests/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java b/wicket-core-tests/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
index c3e58bd..d4bc1c2 100644
--- a/wicket-core-tests/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
+++ b/wicket-core-tests/src/test/java/org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListenerTest.java
@@ -124,6 +124,18 @@
}
/**
+ * Tests that a POST is not a simple top-level navigation request and is blocked
+ */
+ @Test
+ void topLevelNavigationPostAborted()
+ {
+ tester.addRequestHeader(SEC_FETCH_SITE_HEADER, CROSS_SITE);
+ tester.addRequestHeader(SEC_FETCH_MODE_HEADER, MODE_NAVIGATE);
+
+ assertRequestAborted("POST");
+ }
+
+ /**
* Tests that requests rejected by fetch metadata have the Vary header set
*/
@Test
@@ -205,7 +217,12 @@
private void assertRequestAborted()
{
- tester.getRequest().setMethod("GET");
+ assertRequestAborted("GET");
+ }
+
+ private void assertRequestAborted(String requestMethod)
+ {
+ tester.getRequest().setMethod(requestMethod);
tester.clickLink("link");
assertEquals(jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN,
tester.getLastResponse().getStatus());
