Project

General

Profile

Actions

Defect #42839

closed

Downloading .js files from the repository browser fails with a 422 error due to ActionController::InvalidCrossOriginRequest

Added by Steve Hanselman about 1 month ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
SCM
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

To recreate, find a .js file, click the download in the top right

ActionController::InvalidCrossOriginRequest (Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.):
actionpack (7.2.2.1) lib/action_controller/metal/request_forgery_protection.rb:432:in `verify_same_origin_request'

Files

clipboard-202506061026-eqbs8.png (8.62 KB) clipboard-202506061026-eqbs8.png Steve Hanselman, 2025-06-06 11:26
42839.patch (2.37 KB) 42839.patch Go MAEDA, 2025-06-28 10:09
42839-v2.patch (2.38 KB) 42839-v2.patch Go MAEDA, 2025-06-28 11:13

Related issues

Related to Redmine - Defect #43002: RepositoriesSubversionControllerTest fails in 5.1-stable due to missing foo.js in test repositoryClosedGo MAEDA

Actions
Actions #1

Updated by Go MAEDA 22 days ago

  • Status changed from New to Confirmed
  • Affected version changed from 6.0.5 to 5.1.8
Actions #2

Updated by Go MAEDA 22 days ago

The ActionController::InvalidCrossOriginRequest exception can be avoided by serving JavaScript files with the content type application/octet-stream instead of application/javascript. The attached patch fixes the reported issue by setting the content type appropriately.

Actions #3

Updated by Go MAEDA 22 days ago

I have updated the patch to serve JavaScript files with the content type "text/plain", as it is more suitable than "application/octet-stream" for non-binary files.

Actions #4

Updated by Go MAEDA 20 days ago

  • Target version changed from Candidate for next minor release to 5.1.9

Setting the target version to 5.1.9.

Actions #5

Updated by Go MAEDA 15 days ago

  • Subject changed from Attempting to download a js file from SCM gives a 422 error with InvalidCrossOriginRequest in the log to Downloading .js files from the repository browser fails with a 422 error due to ActionController::InvalidCrossOriginRequest
  • Status changed from Confirmed to Resolved
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the fix in r23857. Thank you for reporting the issue.

Actions #6

Updated by Go MAEDA 14 days ago

  • Status changed from Resolved to Closed

Merged the fix into the stable branches in r23863 and r23864.

Actions #7

Updated by Massimo Rossello 8 days ago

Version 5.1.9's subversion repository does not contain foo.js, thus the new test fails

Actions #8

Updated by Go MAEDA 8 days ago

Massimo Rossello wrote in #note-7:

Version 5.1.9's subversion repository does not contain foo.js, thus the new test fails

Thank you for reporting this. I have opened #43002 to handle this issue.

Actions #9

Updated by Go MAEDA 7 days ago

  • Related to Defect #43002: RepositoriesSubversionControllerTest fails in 5.1-stable due to missing foo.js in test repository added
Actions

Also available in: Atom PDF