.../EntityResource/EntityResourceTestBase.php      | 31 +++++++++++++++++-----
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
index ab9ad83..28cde71 100644
--- a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
@@ -156,12 +156,19 @@
 
   /**
    * Provides an entity resource.
+   *
+   * @param bool $single_format
+   *   Provisions a single-format entity REST resource. Defaults to FALSE.
    */
-  protected function provisionEntityResource() {
+  protected function provisionEntityResource($single_format = FALSE) {
+    $this->resourceConfigStorage->delete($this->resourceConfigStorage->loadMultiple());
+    $format = $single_format
+      ? [static::$format]
+      : [static::$format, 'xml'];
     // It's possible to not have any authentication providers enabled, when
     // testing public (anonymous) usage of a REST resource.
     $auth = isset(static::$auth) ? [static::$auth] : [];
-    $this->provisionResource([static::$format], $auth);
+    $this->provisionResource($format, $auth);
   }
 
   /**
@@ -433,15 +440,27 @@ public function testGet() {
       $this->assertResourceErrorResponse(404, 'No route found for "GET ' . str_replace($this->baseUrl, '', $this->getEntityResourceUrl()->setAbsolute()->toString()) . '"', $response);
     }
 
-    $this->provisionEntityResource();
-    // Simulate the developer again forgetting the ?_format query string.
+    // First: single format. Drupal will automatically pick the only format.
+    $this->provisionEntityResource(TRUE);
+    // DX: 403 because unauthorized single-format route, ?_format is omittable.
     $url->setOption('query', []);
-
-    // DX: …?!
+    $response = $this->request('GET', $url, $request_options);
+    $this->assertSame(403, $response->getStatusCode());
+    // DX: 403 because unauthorized.
+    $url->setOption('query', ['_format' => static::$format]);
     $response = $this->request('GET', $url, $request_options);
     $this->assertSame(403, $response->getStatusCode());
 
+    // Then, what we'll use for the remainder of the test: multiple formats.
+    $this->provisionEntityResource();
+    // DX: 406 because despite unauthorized, ?_format is not omittable.
+    $url->setOption('query', []);
+    $response = $this->request('GET', $url, $request_options);
+    $this->assertSame(406, $response->getStatusCode());
+    // DX: 403 because unauthorized.
     $url->setOption('query', ['_format' => static::$format]);
+    $response = $this->request('GET', $url, $request_options);
+    $this->assertSame(403, $response->getStatusCode());
 
     // DX: forgetting authentication: authentication provider-specific error
     // response.