consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix InvalidCrossOriginRequest response

Browse Source 
When requesting files like `/hackattempt.js`, the pages controller was
responding with 404 status code.

However, since the request was considered a JavaScript request (because
of the `.js` extension), the response was also considered to be a
JavaScript one, and since the request wasn't an AJAX request, our
protection from forgery was preventing a potential security issue by
raising an InvalidCrossOriginRequest exception.

By setting HTML as content type, we correctly respond with a 404 status
code.

More info:

https://die-antwort.eu/techblog/2018-08-avoid-invalid-cross-origin-request-with-catch-all-route/
This commit is contained in:
Javi Martín
2019-04-24 16:44:24 +02:00
parent b33401ca0f
commit d90efa15e4
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
spec/controllers/pages_controller_spec.rb
View File

@@ -42,6 +42,11 @@ describe PagesController do
get :show, params: { id: "nonExistentPage" }
expect(response).to be_missing
end
it "returns a 404 message for a JavaScript request" do
get :show, params: { id: "nonExistentJavaScript.js" }
expect(response).to be_missing
end
end
end