Defect #42839
closed
Downloading .js files from the repository browser fails with a 422 error due to ActionController::InvalidCrossOriginRequest
Added by Steve Hanselman about 1 month ago.
Updated 8 days ago.
Description
To recreate, find a .js file, click the download in the top right
ActionController::InvalidCrossOriginRequest (Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.):
actionpack (7.2.2.1) lib/action_controller/metal/request_forgery_protection.rb:432:in `verify_same_origin_request'
Files
- Status changed from New to Confirmed
- Affected version changed from 6.0.5 to 5.1.8
The ActionController::InvalidCrossOriginRequest exception can be avoided by serving JavaScript files with the content type application/octet-stream instead of application/javascript. The attached patch fixes the reported issue by setting the content type appropriately.
I have updated the patch to serve JavaScript files with the content type "text/plain", as it is more suitable than "application/octet-stream" for non-binary files.
- Target version changed from Candidate for next minor release to 5.1.9
Setting the target version to 5.1.9.
- Subject changed from Attempting to download a js file from SCM gives a 422 error with InvalidCrossOriginRequest in the log to Downloading .js files from the repository browser fails with a 422 error due to ActionController::InvalidCrossOriginRequest
- Status changed from Confirmed to Resolved
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the fix in r23857. Thank you for reporting the issue.
- Status changed from Resolved to Closed
Merged the fix into the stable branches in r23863 and r23864.
Version 5.1.9's subversion repository does not contain foo.js, thus the new test fails
Massimo Rossello wrote in #note-7:
Version 5.1.9's subversion repository does not contain foo.js, thus the new test fails
Thank you for reporting this. I have opened #43002 to handle this issue.
- Related to Defect #43002: RepositoriesSubversionControllerTest fails in 5.1-stable due to missing foo.js in test repository added
Also available in: Atom
PDF
Updated by 
Updated by