Include application/javascript when checking content_type
This commit is contained in:
parent
17bf62033e
commit
d3a2c53955
@ -275,7 +275,7 @@ def marked_for_same_origin_verification? # :doc:
|
||||
|
||||
# Check for cross-origin JavaScript responses.
|
||||
def non_xhr_javascript_response? # :doc:
|
||||
content_type =~ %r(\Atext/javascript) && !request.xhr?
|
||||
content_type =~ %r(\A(text|application)/javascript) && !request.xhr?
|
||||
end
|
||||
|
||||
AUTHENTICITY_TOKEN_LENGTH = 32
|
||||
|
@ -521,6 +521,11 @@ def test_should_only_allow_same_origin_js_get_with_xhr_header
|
||||
get :negotiate_same_origin
|
||||
end
|
||||
|
||||
assert_cross_origin_blocked do
|
||||
@request.accept = "application/javascript"
|
||||
get :negotiate_same_origin
|
||||
end
|
||||
|
||||
assert_cross_origin_not_blocked { get :same_origin_js, xhr: true }
|
||||
assert_cross_origin_not_blocked { get :same_origin_js, xhr: true, format: "js" }
|
||||
assert_cross_origin_not_blocked do
|
||||
|
Loading…
Reference in New Issue
Block a user