Merge branch 'sh-fix-cross-site-forgery-errors' into 'master'

Return a blank JSON response for a missing .js file to prevent Rails CSRF errors Closes #40771 See merge request gitlab-org/gitlab-ce!16664

Merge branch 'sh-fix-cross-site-forgery-errors' into 'master'
Return a blank JSON response for a missing .js file to prevent Rails CSRF errors Closes #40771 See merge request gitlab-org/gitlab-ce!16664
e2a56af9 · Rémy Coutable · 47f6dbdf · 79a829a0 · e2a56af9
Commit e2a56af9 authored Jan 24, 2018 by Rémy Coutable
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

app/controllers/application_controller.rb app/controllers/application_controller.rb +2 -0

No files found.
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -147,6 +147,8 @@ class ApplicationController < ActionController::Base
      format.html do
        render file: Rails.root.join("public", "404"), layout: false, status: "404"
      end
+      # Prevent the Rails CSRF protector from thinking a missing .js file is a JavaScript file
+      format.js { render json: '', status: :not_found, content_type: 'application/json' }
      format.any { head :not_found }
    end
  end