From d90efa15e4e671b4316a7436bb4f56d9cd78cd64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Wed, 24 Apr 2019 16:44:24 +0200
Subject: [PATCH] Fix InvalidCrossOriginRequest response

When requesting files like `/hackattempt.js`, the pages controller was
responding with 404 status code.

However, since the request was considered a JavaScript request (because
of the `.js` extension), the response was also considered to be a
JavaScript one, and since the request wasn't an AJAX request, our
protection from forgery was preventing a potential security issue by
raising an InvalidCrossOriginRequest exception.

By setting HTML as content type, we correctly respond with a 404 status
code.

More info:

https://die-antwort.eu/techblog/2018-08-avoid-invalid-cross-origin-request-with-catch-all-route/
---
 app/controllers/pages_controller.rb       | 2 +-
 spec/controllers/pages_controller_spec.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb
index 88ed65582..a4b01cf09 100644
--- a/app/controllers/pages_controller.rb
+++ b/app/controllers/pages_controller.rb
@@ -15,6 +15,6 @@ class PagesController < ApplicationController
       render action: params[:id]
     end
   rescue ActionView::MissingTemplate
-    head 404
+    head 404, content_type: "text/html"
   end
 end
diff --git a/spec/controllers/pages_controller_spec.rb b/spec/controllers/pages_controller_spec.rb
index ac0678691..00d3e1962 100644
--- a/spec/controllers/pages_controller_spec.rb
+++ b/spec/controllers/pages_controller_spec.rb
@@ -42,6 +42,11 @@ describe PagesController do
       get :show, params: { id: "nonExistentPage" }
       expect(response).to be_missing
     end
+
+    it "returns a 404 message for a JavaScript request" do
+      get :show, params: { id: "nonExistentJavaScript.js" }
+      expect(response).to be_missing
+    end
   end
 
 end