Specify the content type of the 404 response

[bethanyaconnor]

Currently if you go to studio.code.org/foo.js you get a 500 when you should get a 404 error.

I turned off consider_all_requests_local in development.rb and could reproduce the 500 error. The error message I got:

Error during failsafe response: Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.

Because the requested file is *.js, the return type is inferred to be text/javascript so Rails throws an InvalidCrossOriginRequest exception. The fix is just to specify the return type as text/html.

Sources

1. https://die-antwort.eu/techblog/2018-08-avoid-invalid-cross-origin-request-with-catch-all-route/
2. https://gitlab.com/gitlab-org/gitlab-foss/-/issues/40771

Links

• jira

Reviewer Checklist:

• Tests provide adequate coverage
• Code is well-commented
• New features are translatable or updates will not break translations
• Relevant documentation has been added or updated
• User impact is well-understood and desirable
• Pull Request is labeled appropriately
• Follow-up work items (including potential tech debt) are tracked and linked

[davidsbailey]

Nice find, nice fix!