Return a blank JSON response for a missing .js file to prevent Rails CSRF errors
The default 404 handler would return the Content-Type format based on the given format extension. This would cause the Rails CSRF protection to flag an error, since the .js extension gets mapped to text/javascript format. Closes #40771
This commit is contained in:
parent
4bf2fded92
commit
79a829a037
|
@ -147,6 +147,8 @@ class ApplicationController < ActionController::Base
|
||||||
format.html do
|
format.html do
|
||||||
render file: Rails.root.join("public", "404"), layout: false, status: "404"
|
render file: Rails.root.join("public", "404"), layout: false, status: "404"
|
||||||
end
|
end
|
||||||
|
# Prevent the Rails CSRF protector from thinking a missing .js file is a JavaScript file
|
||||||
|
format.js { render json: '', status: :not_found, content_type: 'application/json' }
|
||||||
format.any { head :not_found }
|
format.any { head :not_found }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue