github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-26 12:05:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Remove ember-cli specific response from application routes (#15155)

Browse Source 
Under some conditions, these varied responses could lead to cache poisoning, hence the 'security' label.

Previously the Rails application would serve JSON data in place of HTML whenever Ember CLI requested an `application.html.erb`-rendered page. This commit removes that logic, and instead parses the HTML out of the standard response. This means that Rails doesn't need to customize its response for Ember CLI.
This commit is contained in:
David Taylor
2021-12-01 16:10:40 +00:00
committed by GitHub
parent f37375f582
commit 1fa7a87f86
11 changed files with 265 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
spec/components/discourse_spec.rb
View File

@ -76,12 +76,6 @@ describe Discourse do
opts = Discourse.asset_filter_options(:js, req)
expect(opts[:path]).to eq("/hello")
end
it "overwrites the path if the asset path is present" do
req = stub(fullpath: "/bootstrap.json", headers: { "HTTP_X_DISCOURSE_ASSET_PATH" => "/hello" })
opts = Discourse.asset_filter_options(:js, req)
expect(opts[:path]).to eq("/hello")
end
end
context 'plugins' do