Return a blank JSON response for a missing .js file to prevent Rails CSRF errors (!16664) · Merge requests · GitLab.org / GitLab FOSS

Stan Hu requested to merge sh-fix-cross-site-forgery-errors into master Jan 24, 2018

The default 404 handler would return the Content-Type format based on the given format extension. This would cause the Rails CSRF protection to flag an error, since the .js extension gets mapped to text/javascript format.

Closes #40771 (closed)

Return a blank JSON response for a missing .js file to prevent Rails CSRF errors

Merge request reports