Update docs with warning on AS Content-Disposition override [ci skip]

author: Rodrigo Pavano <rodrigopavano@gmail.com> 2019-06-27 12:28:04 -0300
committer: Rodrigo Pavano <rodrigopavano@gmail.com> 2019-06-27 12:58:03 -0300
commit: 656ef8fd548dfa673a26a12d8d0376c254a426a1 (patch)
tree: 0fa4b5db77192c18c6aa4d59fd76b2ffc1ddd717 /guides
parent: 1bdd8fa576d26ff9f05c649feb3ecc9527c2c16d (diff)
download: rails-656ef8fd548dfa673a26a12d8d0376c254a426a1.tar.gz
rails-656ef8fd548dfa673a26a12d8d0376c254a426a1.tar.bz2
rails-656ef8fd548dfa673a26a12d8d0376c254a426a1.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/guides/source/active_storage_overview.md b/guides/source/active_storage_overview.md
index 932a5dc2e9..46263e552a 100644
--- a/guides/source/active_storage_overview.md
+++ b/guides/source/active_storage_overview.md
@@ -398,6 +398,10 @@ helper allows you to set the disposition.
 rails_blob_path(user.avatar, disposition: "attachment")
 ```
 
+WARNING: To prevent XSS attacks, ActiveStorage forces the Content-Disposition header
+to "attachment" for some kind of files. To change this behaviour see the
+available configuration opions in [Configuring Rails Applications](configuring.html#configuring-active-storage).
+
 If you need to create a link from outside of controller/view context (Background
 jobs, Cronjobs, etc.), you can access the rails_blob_path like this:
author	Rodrigo Pavano <rodrigopavano@gmail.com>	2019-06-27 12:28:04 -0300
committer	Rodrigo Pavano <rodrigopavano@gmail.com>	2019-06-27 12:58:03 -0300
commit	656ef8fd548dfa673a26a12d8d0376c254a426a1 (patch)
tree	0fa4b5db77192c18c6aa4d59fd76b2ffc1ddd717 /guides
parent	1bdd8fa576d26ff9f05c649feb3ecc9527c2c16d (diff)
download	rails-656ef8fd548dfa673a26a12d8d0376c254a426a1.tar.gz rails-656ef8fd548dfa673a26a12d8d0376c254a426a1.tar.bz2 rails-656ef8fd548dfa673a26a12d8d0376c254a426a1.zip