cross-origin JavaScript protection with uploaded JS files
Hi,
I just updated to 8.10.3 but the problem is still there. I am unable to download an uploaded javascript file to an issue, I've got a 422. The JS protection is too much aggressive I think ! I don't have any problem with .txt or .jpg.
The error message is very straightforward:
Started GET "/mygroup/myproject/uploads/49d5a49e9ce6e0833ef7897db8817f94/delete_old_aggregates.js" for 176.138.162.151 at 2016-08-03 18:57:33 +0000
Processing by Projects::UploadsController#show as HTML
Parameters: {"namespace_id"=>"runmyprocess", "project_id"=>"runmylog", "secret"=>"49d5a49e9ce6e0833ef7897db8817f94", "filename"=>"rml_delete_old_aggregates.js"}
Sent file /data/git/gitlab/public/uploads/mygroup/myproject/49d5a49e9ce6e0833ef7897db8817f94/rml_delete_old_aggregates.js (0.1ms)
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
Completed 422 Unprocessable Entity in 38ms (ActiveRecord: 3.1ms)
ActionController::InvalidCrossOriginRequest (Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.):
lib/gitlab/middleware/go.rb:16:in `call'