diff options
| author | Rémy Coutable <remy@rymai.me> | 2018-05-14 17:55:19 +0300 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2018-05-14 17:55:19 +0300 |
| commit | f805546f98dcfd5fd8e3da890ff4f23ff8de1a66 (patch) | |
| tree | 64d3af7475a8f015c04853dc1af577ceeda57af5 /app | |
| parent | ca9bce4aa1a7b40616f83c9f2cd5ed452e253001 (diff) | |
| parent | 0c43170630b5b4e90e8f91526066435a06e077eb (diff) | |
Merge branch 'sh-fix-cross-site-origin-uploads-js' into 'master'
Fix cross-origin errors when attempting to download JavaScript attachments
Closes #45826
See merge request gitlab-org/gitlab-ce!18936
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/concerns/send_file_upload.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/app/controllers/concerns/send_file_upload.rb b/app/controllers/concerns/send_file_upload.rb index 55011c89886..237c93daee8 100644 --- a/app/controllers/concerns/send_file_upload.rb +++ b/app/controllers/concerns/send_file_upload.rb @@ -2,6 +2,10 @@ module SendFileUpload def send_upload(file_upload, send_params: {}, redirect_params: {}, attachment: nil, disposition: 'attachment') if attachment redirect_params[:query] = { "response-content-disposition" => "#{disposition};filename=#{attachment.inspect}" } + # By default, Rails will send uploads with an extension of .js with a + # content-type of text/javascript, which will trigger Rails' + # cross-origin JavaScript protection. + send_params[:content_type] = 'text/plain' if File.extname(attachment) == '.js' send_params.merge!(filename: attachment, disposition: disposition) end |