Exempt files#show_relative from protect_from_forgery

Rails 4.1 introduces CSRF protection from remote <script> tags. This prevents locally-stored JavaScript files uploaded as part of a brand config from loading. The security implications of exempting `show_relative` needs to be discussed. It would be nice if this could be scoped to account-context files only. Test plan: * Create a new brand config * Upload a JavaScript file * Save and apply the brand config * Result: the JS file should load
instructure · Nov 10, 2016 · f21d53f · f21d53f
1 parent 7446c03
commit f21d53f
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
@@ -108,6 +108,7 @@
 #     }
 #
 class FilesController < ApplicationController
+  protect_from_forgery except: :show_relative
   before_filter :require_user, only: :create_pending
   before_filter :require_context, except: [
     :assessment_question_show, :image_thumbnail, :show_thumbnail, :preflight,