Return a blank JSON response for a missing .js file to prevent Rails CSRF errorssh-fix-cross-site-forgery-errors

The default 404 handler would return the Content-Type format based on the given format extension. This would cause the Rails CSRF protection to flag an error, since the .js extension gets mapped to text/javascript format. Closes #40771
author: Stan Hu <stanhu@gmail.com> 2018-01-23 22:02:33 -0800
committer: Stan Hu <stanhu@gmail.com> 2018-01-23 22:24:30 -0800
commit: 79a829a0372a974bb3d40e66ca3fdc213200db40 (patch)
tree: 54faeb40627528221553a4d108c317eb4d8bb86a
parent: 4bf2fded92e05420e6d103c8df63d6d83198a684 (diff)
download: gitlab-ce-sh-fix-cross-site-forgery-errors.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index ee21d81f23e..95ad38d9230 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -147,6 +147,8 @@ class ApplicationController < ActionController::Base
       format.html do
         render file: Rails.root.join("public", "404"), layout: false, status: "404"
       end
+      # Prevent the Rails CSRF protector from thinking a missing .js file is a JavaScript file
+      format.js { render json: '', status: :not_found, content_type: 'application/json' }
       format.any { head :not_found }
     end
   end
author	Stan Hu <stanhu@gmail.com>	2018-01-23 22:02:33 -0800
committer	Stan Hu <stanhu@gmail.com>	2018-01-23 22:24:30 -0800
commit	79a829a0372a974bb3d40e66ca3fdc213200db40 (patch)
tree	54faeb40627528221553a4d108c317eb4d8bb86a
parent	4bf2fded92e05420e6d103c8df63d6d83198a684 (diff)
download	gitlab-ce-sh-fix-cross-site-forgery-errors.tar.gz