Project

General

Profile

Actions
Copy link

Defect #42839

closed

Downloading .js files from the repository browser fails with a 422 error due to ActionController::InvalidCrossOriginRequest

Added by Steve Hanselman 11 months ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Go MAEDA
Category:
SCM
Target version:
5.1.9
Resolution:
Fixed
Affected version:
5.1.8

Description

To recreate, find a .js file, click the download in the top right

ActionController::InvalidCrossOriginRequest (Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.):
actionpack (7.2.2.1) lib/action_controller/metal/request_forgery_protection.rb:432:in `verify_same_origin_request'

Files

Download all files
clipboard-202506061026-eqbs8.png (8.62 KB) clipboard-202506061026-eqbs8.png Steve Hanselman, 2025-06-06 11:26
42839.patch (2.37 KB) 42839.patch Go MAEDA, 2025-06-28 10:09
42839-v2.patch (2.38 KB) 42839-v2.patch Go MAEDA, 2025-06-28 11:13

Related issues

Related to Redmine - Defect #43002: RepositoriesSubversionControllerTest fails in 5.1-stable due to missing foo.js in test repositoryClosedGo MAEDAActions
Actions
Copy link
 #1

Updated by Go MAEDA 11 months ago

  • Status changed from New to Confirmed
  • Affected version changed from 6.0.5 to 5.1.8
Actions
Copy link
 #2

Updated by Go MAEDA 11 months ago

The ActionController::InvalidCrossOriginRequest exception can be avoided by serving JavaScript files with the content type application/octet-stream instead of application/javascript. The attached patch fixes the reported issue by setting the content type appropriately.

Actions
Copy link
 #3

Updated by Go MAEDA 11 months ago

I have updated the patch to serve JavaScript files with the content type "text/plain", as it is more suitable than "application/octet-stream" for non-binary files.

Actions
Copy link
 #4

Updated by Go MAEDA 11 months ago

  • Target version changed from Candidate for next minor release to 5.1.9

Setting the target version to 5.1.9.

Actions
Copy link
 #5

Updated by Go MAEDA 10 months ago

  • Subject changed from Attempting to download a js file from SCM gives a 422 error with InvalidCrossOriginRequest in the log to Downloading .js files from the repository browser fails with a 422 error due to ActionController::InvalidCrossOriginRequest
  • Status changed from Confirmed to Resolved
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the fix in r23857. Thank you for reporting the issue.

Actions
Copy link
 #6

Updated by Go MAEDA 10 months ago

  • Status changed from Resolved to Closed

Merged the fix into the stable branches in r23863 and r23864.

Actions
Copy link
 #7

Updated by Massimo Rossello 10 months ago

Version 5.1.9's subversion repository does not contain foo.js, thus the new test fails

Actions
Copy link
 #8

Updated by Go MAEDA 10 months ago

Massimo Rossello wrote in #note-7:

Version 5.1.9's subversion repository does not contain foo.js, thus the new test fails

Thank you for reporting this. I have opened #43002 to handle this issue.

Actions
Copy link
 #9

Updated by Go MAEDA 10 months ago

  • Related to Defect #43002: RepositoriesSubversionControllerTest fails in 5.1-stable due to missing foo.js in test repository added
Actions
Copy link

Also available in: Atom PDF