aboutsummaryrefslogtreecommitdiffstats
path: root/activestorage/test/template
diff options
context:
space:
mode:
authorRosa Gutierrez <rosa.ge@gmail.com>2018-01-04 19:35:54 +0100
committerRosa Gutierrez <rosa.ge@gmail.com>2018-01-05 16:32:32 +0100
commitd40284b1a44773b03d78ca67a888b94fd330d1b1 (patch)
treeac9cada273b492f231bf1b48d215e36ff78fde05 /activestorage/test/template
parent5a5014688873f1d6e1b66075eea8a4356b5a4d07 (diff)
downloadrails-d40284b1a44773b03d78ca67a888b94fd330d1b1.tar.gz
rails-d40284b1a44773b03d78ca67a888b94fd330d1b1.tar.bz2
rails-d40284b1a44773b03d78ca67a888b94fd330d1b1.zip
Force content disposition to attachment for specific content types
In this way we avoid HTML, XML, SVG and other files that can be rendered by the browser to be served inline by default. Depending on the origin from where these files are served, this might lead to XSS vulnerabilities, and in the best case, to more realistic phishing attacks and open redirects. We force it rather than falling back to it when other disposition is not provided. Otherwise it would be possible for someone to force inline just by passing `disposition=inline` in the URL. The list of content types to be served as attachments is configurable.
Diffstat (limited to 'activestorage/test/template')
0 files changed, 0 insertions, 0 deletions