Commit 79a829a0 authored by Stan Hu's avatar Stan Hu

Return a blank JSON response for a missing .js file to prevent Rails CSRF errors

The default 404 handler would return the Content-Type format based on the
given format extension. This would cause the Rails CSRF protection to flag an
error, since the .js extension gets mapped to text/javascript format.

Closes #40771
parent 4bf2fded
...@@ -147,6 +147,8 @@ class ApplicationController < ActionController::Base ...@@ -147,6 +147,8 @@ class ApplicationController < ActionController::Base
format.html do format.html do
render file: Rails.root.join("public", "404"), layout: false, status: "404" render file: Rails.root.join("public", "404"), layout: false, status: "404"
end end
# Prevent the Rails CSRF protector from thinking a missing .js file is a JavaScript file
format.js { render json: '', status: :not_found, content_type: 'application/json' }
format.any { head :not_found } format.any { head :not_found }
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment