Return a blank JSON response for a missing .js file to prevent Rails CSRF errors

The default 404 handler would return the Content-Type format based on the given format extension. This would cause the Rails CSRF protection to flag an error, since the .js extension gets mapped to text/javascript format. Closes #40771
2018-01-23 22:02:33 -08:00 · 2018-01-23 22:02:33 -08:00 · 79a829a037
parent 4bf2fded92
commit 79a829a037
1 changed files with 2 additions and 0 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -147,6 +147,8 @@ class ApplicationController < ActionController::Base
      format.html do
        render file: Rails.root.join("public", "404"), layout: false, status: "404"
      end
+      # Prevent the Rails CSRF protector from thinking a missing .js file is a JavaScript file
+      format.js { render json: '', status: :not_found, content_type: 'application/json' }
      format.any { head :not_found }
    end
  end