kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
rails--rails/activestorage/app
History
Rosa Gutierrez d40284b1a4
Force content disposition to attachment for specific content types 
In this way we avoid HTML, XML, SVG and other files that can be rendered
by the browser to be served inline by default. Depending on the origin
from where these files are served, this might lead to XSS
vulnerabilities, and in the best case, to more realistic phishing
attacks and open redirects.

We force it rather than falling back to it when other disposition is not
provided. Otherwise it would be possible for someone to force inline
just by passing `disposition=inline` in the URL.

The list of content types to be served as attachments is configurable.
2018-01-05 16:32:32 +01:00
..
assets/javascripts Active Storage: Fix direct uploads in IE 11 2017-12-23 11:21:54 -05:00
controllers Exclude ActiveStorage::SetBlob from API docs [ci skip] 2018-01-02 22:49:18 -05:00
javascript/activestorage Active Storage: Fix direct uploads in IE 11 2017-12-23 11:21:54 -05:00
jobs/active_storage Permit configuring Active Storage's job queue 2017-11-03 11:29:21 -04:00
models/active_storage Force content disposition to attachment for specific content types 2018-01-05 16:32:32 +01:00