describe('security options', function() {
  beforeEach(function() {
    this.server = makeServer()
    clearWorkArea()
  })
  afterEach(function() {
    this.server.restore()
    clearWorkArea()
  })

  it('can disable a single elt', function() {
    this.server.respondWith('GET', '/test', 'Clicked!')

    var btn = make('<button hx-disable hx-get="/test">Initial</button>')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Initial')
  })

  it('can disable a parent elt', function() {
    this.server.respondWith('GET', '/test', 'Clicked!')

    var div = make('<div hx-disable><button id="b1" hx-get="/test">Initial</button></div>')
    var btn = byId('b1')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Initial')
  })

  it('can disable a single elt dynamically', function() {
    this.server.respondWith('GET', '/test', 'Clicked!')

    var btn = make('<button id="b1" hx-get="/test">Initial</button>')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked!')

    this.server.respondWith('GET', '/test', 'Clicked a second time')

    btn.setAttribute('hx-disable', '')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked!')
  })

  it('can disable a single elt dynamically & enable it back', function() {
    this.server.respondWith('GET', '/test', 'Clicked!')

    var btn = make('<button id="b1" hx-get="/test">Initial</button>')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked!')

    this.server.respondWith('GET', '/test', 'Clicked a second time')

    btn.setAttribute('hx-disable', '')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked!')

    btn.removeAttribute('hx-disable')
    htmx.process(btn)
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked a second time')
  })

  it('can disable a single parent elt dynamically', function() {
    this.server.respondWith('GET', '/test', 'Clicked!')

    var div = make('<div><button id="b1" hx-get="/test">Initial</button></div>')
    var btn = byId('b1')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked!')

    this.server.respondWith('GET', '/test', 'Clicked a second time')

    div.setAttribute('hx-disable', '')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked!')
  })

  it('can disable a single parent elt dynamically & enable it back', function() {
    this.server.respondWith('GET', '/test', 'Clicked!')

    var div = make('<div><button id="b1" hx-get="/test">Initial</button></div>')
    var btn = byId('b1')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked!')

    this.server.respondWith('GET', '/test', 'Clicked a second time')

    div.setAttribute('hx-disable', '')
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked!')

    div.removeAttribute('hx-disable')
    htmx.process(div)
    btn.click()
    this.server.respond()
    btn.innerHTML.should.equal('Clicked a second time')
  })

  it('can make egress cross site requests when htmx.config.selfRequestsOnly is disabled', function(done) {
    this.timeout(4000)
    htmx.config.selfRequestsOnly = false
    // should trigger send error, rather than reject
    var listener = htmx.on('htmx:sendError', function() {
      htmx.config.selfRequestsOnly = true
      htmx.off('htmx:sendError', listener)
      done()
    })
    this.server.restore() // use real xhrs
    // will 404, but should respond
    var btn = make('<button hx-get="https://hypermedia.systems/www/test">Initial</button>')
    btn.click()
  })

  it("can't make egress cross site requests when htmx.config.selfRequestsOnly is enabled", function(done) {
    this.timeout(4000)
    // should trigger send error, rather than reject
    var listener = htmx.on('htmx:invalidPath', function() {
      htmx.off('htmx:invalidPath', listener)
      done()
    })
    this.server.restore() // use real xhrs
    // will 404, but should respond
    var btn = make('<button hx-get="https://hypermedia.systems/www/test">Initial</button>')
    btn.click()
  })

  it('can cancel egress request based on htmx:validateUrl event', function(done) {
    this.timeout(4000)
    // should trigger send error, rather than reject
    var pathVerifier = htmx.on('htmx:validateUrl', function(evt) {
      evt.preventDefault()
      htmx.off('htmx:validateUrl', pathVerifier)
    })
    var listener = htmx.on('htmx:invalidPath', function() {
      htmx.off('htmx:invalidPath', listener)
      done()
    })
    this.server.restore() // use real xhrs
    // will 404, but should respond
    var btn = make('<button hx-get="https://hypermedia.systems/www/test">Initial</button>')
    btn.click()
  })

  it('can cancel egress request based on htmx:validateUrl event, sameHost is false', function(done) {
    this.timeout(4000)
    // should trigger send error, rather than reject
    var pathVerifier = htmx.on('htmx:validateUrl', function(evt) {
      if (evt.detail.sameHost === false) {
        evt.preventDefault()
      }
      htmx.off('htmx:validateUrl', pathVerifier)
    })
    var listener = htmx.on('htmx:invalidPath', function() {
      htmx.off('htmx:invalidPath', listener)
      done()
    })
    this.server.restore() // use real xhrs
    // will 404, but should respond
    var btn = make('<button hx-get="https://hypermedia.systems/www/test">Initial</button>')
    btn.click()
  })

  it('can disable script tag support with htmx.config.allowScriptTags', function() {
    var globalWasCalled = false
    window.callGlobal = function() {
      globalWasCalled = true
    }
    try {
      htmx.config.allowScriptTags = false
      this.server.respondWith('GET', '/test', '<div><script>callGlobal()</script></div>')
      var div = make("<div hx-get='/test'></div>")
      div.click()
      this.server.respond()
      globalWasCalled.should.equal(false)
    } finally {
      htmx.config.allowScriptTags = true
      delete window.callGlobal
    }
  })
})