Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rails_blob_path disregards `disposition: :inline` option #36277

Open
rodrei opened this issue May 14, 2019 · 8 comments

Comments

Projects
None yet
3 participants
@rodrei
Copy link
Contributor

commented May 14, 2019

Steps to reproduce

  • Generate a URL using rails_blob_path(@user.avatar, disposition: :inline)
  • When visiting the generated URL the Content-Disposition header is still set to attachment

Expected behavior

The Content-Disposition header should be set to inline

Actual behavior

Content-Disposition is set to attachment

System configuration

Rails version: 5.2.0 5.2.3
Ruby version: 2.5.1p57

@rodrei

This comment has been minimized.

Copy link
Contributor Author

commented May 14, 2019

Update: This is not a bug, the Content-Disposition header was being forced to attachment because of a default configuration of ActiveStorage. I found these configs by looking at the source code, it may be a good idea to document them.

After updating Rails to version 5.2.3, I managed to solve the issue by adding this to application.rb:

  config.active_storage.content_types_allowed_inline << "image/svg+xml"
  config.active_storage.content_types_to_serve_as_binary -= ["image/svg+xml"] 

@rodrei rodrei closed this May 14, 2019

@SampsonCrowley

This comment has been minimized.

Copy link

commented Jun 11, 2019

@rodrei I really don't think you should have closed this

@SampsonCrowley

This comment has been minimized.

Copy link

commented Jun 11, 2019

an undocumented ActiveStorage config that ignores what is given in the docs is definitely a bug

@rodrei

This comment has been minimized.

Copy link
Contributor Author

commented Jun 11, 2019

I can reopen this if it helps. I do think at the very least there should be documentation about this.

@SampsonCrowley

This comment has been minimized.

Copy link

commented Jun 12, 2019

I definitely was baffled until I found your issue

@rjhancock

This comment has been minimized.

Copy link

commented Jun 16, 2019

Definitely a bug. Didn't realize there was configuration options and had to work around them on a project to get attached files to appear inline.

@rodrei rodrei reopened this Jun 24, 2019

@rodrei

This comment has been minimized.

Copy link
Contributor Author

commented Jun 27, 2019

I looked into this and found out that the reason AS doesn't allow to serve inline SVGs by default is to prevent XSS attacks (SVGs can contain javascript).

In my case end users are not the ones making the uploads, so it's not a risk for us. I believe this is a good default to have in place, but we should add documentation to allow to change this default behaviour when needed.

@rodrei

This comment has been minimized.

Copy link
Contributor Author

commented Jun 27, 2019

There is actually some documentation already on these configs here:
https://guides.rubyonrails.org/configuring.html#configuring-active-storage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.