Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/fixtures/themes
History
Krzysztof Kotlarek 99086edf85
FIX: Allow themes to upload and serve js files (#8188) 
If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error:
`Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.`

The reason is that content type is `application/javascript` and in Rails 5 guard looked like that:
https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280
However, in Rails 6 `application` was added to regex:
https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284

This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
 		2019-10-14 15:40:33 +11:00
..
discourse-test-theme.zip SECURITY: Safely decompress backups when restoring. (#8166) 2019-10-09 11:41:16 -03:00
test.js FIX: Allow themes to upload and serve js files (#8188) 2019-10-14 15:40:33 +11:00