.../EntityResource/EntityResourceTestBase.php      | 65 +++++-----------------
 1 file changed, 14 insertions(+), 51 deletions(-)

diff --git a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
index 33bc637..aa2b3ca 100644
--- a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
@@ -470,59 +470,22 @@ protected function assert406Response(ResponseInterface $response) {
 
   /**
    * Simulate common developer mistake when performing an unsafe operation:
-   * 1. forget to specify Content-Type request header (this should be a problem for POST + PATCH, not for DELETE)
-   * 2. forget to specify the X-CSRF-Token request header
-   * 3. specify in invalid X-CSRF-Token request header value
+   * - forget to specify the X-CSRF-Token request header
+   * - specify in invalid X-CSRF-Token request header value
+   *
+   * In either case, the REST module must provide meaningful feedback for DX.
    */
-
-/*    if (static::$auth === 'cookie')
-    // Try without CSRF token.
-    try {
-      $this->httpClient->post($url->toString(), $options);
-    }
-    catch (ClientException $e) {
-      var_dump($e->getResponse()->getStatusCode());
-      var_dump((string)$e->getResponse()->getBody());
-      exit;
-    }
-//    return;
-//
-//    $this->assertSame(403, $this->getSession()->getStatusCode());
-//    $this->assertSession()->responseHeaderEquals('Content-Type', 'text/plain');
-//    $this->assertSession()->responseContains('X-CSRF-Token request header is missing');
-
-
-    // Add invalid CSRF token.
-    $options[RequestOptions::HEADERS]['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';
-
+  protected function performUnsafeOperation($method) {
+    // Try without CSRF token
+    // …request
+    $this->assertSame(403, $this->getSession()->getStatusCode());
+    $this->assertSession()->responseContains('X-CSRF-Token request header is missing');
     // Try with invalid CSRF token
-    try {
-      $this->httpClient->post($url->toString(), $options);
-    }
-    catch (ClientException $e) {
-//      'X-CSRF-Token request header is invalid'
-      $this->assertErrorResponse(403, '', $e->getResponse());
-    }
-
+    // …request
+    $this->assertSame(403, $this->getSession()->getStatusCode());
+    $this->assertSession()->responseContains('X-CSRF-Token request header is invalid');
     // Try with valid CSRF token
-    try {
-      $response = $this->httpClient->get(Url::fromRoute('system.csrftoken')->toString(), $this->getAuthenticationRequestOptions());
-    }
-    catch (ClientException $e) {
-      $this->fail('Request for CSRF token failed: ' . $e->getResponse()->getStatusCode() . ' response received.');
-    }
-    $csrf_token = (string)$response->getBody();
-
-    // Set valid CSRF token.
-    $options[RequestOptions::HEADERS]['X-CSRF-Token'] = $csrf_token;
-
-    // Try with valid CSRF token.
-    try {
-      $response = $this->httpClient->post($url->toString(), $options);
-    }
-    catch (ClientException $e) {
-//      'X-CSRF-Token request header is invalid'
-      $this->assertErrorResponse(403, 'adsfsadfasdf', $e->getResponse());
-    }*/
+    // …request
+  }
 
 }