Merge pull request #32998 from gregmolnar/protect-from-application-javascript

Include application/javascript when checking content_type
author: Eileen M. Uchitelle <eileencodes@users.noreply.github.com> 2018-05-30 09:20:43 -0400
committer: GitHub <noreply@github.com> 2018-05-30 09:20:43 -0400
commit: 10e1f1f9a129f2f197a44009a99b73b8ff9dbc0d (patch)
tree: 4cd7feb281301bf327d530e08fa47e5818cec9f1 /actionpack/lib
parent: ced104d57997c7bceef3d1e6c8a713431363c3bb (diff)
parent: d3a2c53955f28e0f3dfe0403ef691b903496e957 (diff)
download: rails-10e1f1f9a129f2f197a44009a99b73b8ff9dbc0d.tar.gz
rails-10e1f1f9a129f2f197a44009a99b73b8ff9dbc0d.tar.bz2
rails-10e1f1f9a129f2f197a44009a99b73b8ff9dbc0d.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 953f3c47ed..df15c45470 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -275,7 +275,7 @@ module ActionController #:nodoc:
 
       # Check for cross-origin JavaScript responses.
       def non_xhr_javascript_response? # :doc:
-        content_type =~ %r(\Atext/javascript) && !request.xhr?
+        content_type =~ %r(\A(text|application)/javascript) && !request.xhr?
       end
 
       AUTHENTICITY_TOKEN_LENGTH = 32
author	Eileen M. Uchitelle <eileencodes@users.noreply.github.com>	2018-05-30 09:20:43 -0400
committer	GitHub <noreply@github.com>	2018-05-30 09:20:43 -0400
commit	10e1f1f9a129f2f197a44009a99b73b8ff9dbc0d (patch)
tree	4cd7feb281301bf327d530e08fa47e5818cec9f1 /actionpack/lib
parent	ced104d57997c7bceef3d1e6c8a713431363c3bb (diff)
parent	d3a2c53955f28e0f3dfe0403ef691b903496e957 (diff)
download	rails-10e1f1f9a129f2f197a44009a99b73b8ff9dbc0d.tar.gz rails-10e1f1f9a129f2f197a44009a99b73b8ff9dbc0d.tar.bz2 rails-10e1f1f9a129f2f197a44009a99b73b8ff9dbc0d.zip