FIX: Allow themes to upload and serve js files (#8188)

If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error: `Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.` The reason is that content type is `application/javascript` and in Rails 5 guard looked like that: https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280 However, in Rails 6 `application` was added to regex: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284 This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
2025-02-25 18:55:32 -06:00 · 2019-10-14 15:40:33 +11:00
parent e4fe864c0b
commit 99086edf85
3 changed files with 9 additions and 0 deletions
--- a/spec/requests/uploads_controller_spec.rb
+++ b/spec/requests/uploads_controller_spec.rb
@@ -265,6 +265,13 @@ describe UploadsController do
        .to eq(%Q|attachment; filename="logo.png"; filename*=UTF-8''logo.png|)
    end

+    it 'returns 200 when js file' do
+      ActionDispatch::FileHandler.any_instance.stubs(:match?).returns(false)
+      upload = upload_file("test.js", "themes")
+      get upload.url
+      expect(response.status).to eq(200)
+    end
+
    it "handles image without extension" do
      SiteSetting.authorized_extensions = "*"
      upload = upload_file("image_no_extension")