diff options
| author | Rosa Gutierrez <rosa.ge@gmail.com> | 2018-01-04 19:35:54 +0100 |
|---|---|---|
| committer | Rosa Gutierrez <rosa.ge@gmail.com> | 2018-01-05 16:32:32 +0100 |
| commit | d40284b1a44773b03d78ca67a888b94fd330d1b1 (patch) | |
| tree | ac9cada273b492f231bf1b48d215e36ff78fde05 /activestorage/CHANGELOG.md | |
| parent | 5a5014688873f1d6e1b66075eea8a4356b5a4d07 (diff) | |
| download | rails-d40284b1a44773b03d78ca67a888b94fd330d1b1.tar.gz rails-d40284b1a44773b03d78ca67a888b94fd330d1b1.tar.bz2 rails-d40284b1a44773b03d78ca67a888b94fd330d1b1.zip | |
Force content disposition to attachment for specific content types
In this way we avoid HTML, XML, SVG and other files that can be rendered
by the browser to be served inline by default. Depending on the origin
from where these files are served, this might lead to XSS
vulnerabilities, and in the best case, to more realistic phishing
attacks and open redirects.
We force it rather than falling back to it when other disposition is not
provided. Otherwise it would be possible for someone to force inline
just by passing `disposition=inline` in the URL.
The list of content types to be served as attachments is configurable.
Diffstat (limited to 'activestorage/CHANGELOG.md')
| -rw-r--r-- | activestorage/CHANGELOG.md | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md index c5171e7490..9ce177b462 100644 --- a/activestorage/CHANGELOG.md +++ b/activestorage/CHANGELOG.md @@ -1,3 +1,11 @@ +* Force `:attachment` disposition for specific, configurable content types. + This mitigates possible security issues such as XSS or phishing when + serving them inline. A list of such content types is included by default, + and can be configured via `content_types_to_serve_as_binary`. + + *Rosa Gutierrez* + + ## Rails 5.2.0.beta2 (November 28, 2017) ## * Fix the gem adding the migrations files to the package. |