Include application/javascript when checking content_type

2014-12-10 23:21:01 +08:00 · 2014-12-10 23:21:01 +08:00 · d3a2c53955
commit d3a2c53955
parent 17bf62033e
2 changed files with 6 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@ -275,7 +275,7 @@ def marked_for_same_origin_verification? # :doc:

      # Check for cross-origin JavaScript responses.
      def non_xhr_javascript_response? # :doc:
-        content_type =~ %r(\Atext/javascript) && !request.xhr?
+        content_type =~ %r(\A(text|application)/javascript) && !request.xhr?
      end

      AUTHENTICITY_TOKEN_LENGTH = 32
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@ -521,6 +521,11 @@ def test_should_only_allow_same_origin_js_get_with_xhr_header
      get :negotiate_same_origin
    end

+    assert_cross_origin_blocked do
+      @request.accept = "application/javascript"
+      get :negotiate_same_origin
+    end
+
    assert_cross_origin_not_blocked { get :same_origin_js, xhr: true }
    assert_cross_origin_not_blocked { get :same_origin_js, xhr: true, format: "js" }
    assert_cross_origin_not_blocked do