diff options
| author | Rafael França <rafael@franca.dev> | 2019-07-24 15:45:17 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-24 15:45:17 -0400 |
| commit | 8013cc02cb8f372324e7383d05862048aa8292d9 (patch) | |
| tree | 9cc6700354af1b4d5d22ea95dd86ce9d4b26a6af /guides | |
| parent | 01a28f3e6bf9f1550aca9b86b8805051c97a14d6 (diff) | |
| parent | 656ef8fd548dfa673a26a12d8d0376c254a426a1 (diff) | |
| download | rails-8013cc02cb8f372324e7383d05862048aa8292d9.tar.gz rails-8013cc02cb8f372324e7383d05862048aa8292d9.tar.bz2 rails-8013cc02cb8f372324e7383d05862048aa8292d9.zip | |
Merge pull request #36564 from rodrei/docs-active-starage-warning
Update docs with warning on ActiveStorage Content-Disposition override
Diffstat (limited to 'guides')
| -rw-r--r-- | guides/source/active_storage_overview.md | 4 | ||||
| -rw-r--r-- | guides/source/configuring.md | 2 |
2 files changed, 6 insertions, 0 deletions
diff --git a/guides/source/active_storage_overview.md b/guides/source/active_storage_overview.md index 932a5dc2e9..46263e552a 100644 --- a/guides/source/active_storage_overview.md +++ b/guides/source/active_storage_overview.md @@ -398,6 +398,10 @@ helper allows you to set the disposition. rails_blob_path(user.avatar, disposition: "attachment") ``` +WARNING: To prevent XSS attacks, ActiveStorage forces the Content-Disposition header +to "attachment" for some kind of files. To change this behaviour see the +available configuration opions in [Configuring Rails Applications](configuring.html#configuring-active-storage). + If you need to create a link from outside of controller/view context (Background jobs, Cronjobs, etc.), you can access the rails_blob_path like this: diff --git a/guides/source/configuring.md b/guides/source/configuring.md index ded985debe..c5d3d09bd0 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -844,6 +844,8 @@ You can find more detailed configuration options in the * `config.active_storage.content_types_to_serve_as_binary` accepts an array of strings indicating the content types that Active Storage will always serve as an attachment, rather than inline. The default is `%w(text/html text/javascript image/svg+xml application/postscript application/x-shockwave-flash text/xml application/xml application/xhtml+xml application/mathml+xml text/cache-manifest)`. +* `config.active_storage.content_types_allowed_inline` accepts an array of strings indicating the content types that Active Storage allows to serve as inline. The default is `%w(image/png image/gif image/jpg image/jpeg image/vnd.adobe.photoshop image/vnd.microsoft.icon application/pdf)`. + * `config.active_storage.queues.analysis` accepts a symbol indicating the Active Job queue to use for analysis jobs. When this option is `nil`, analysis jobs are sent to the default Active Job queue (see `config.active_job.default_queue_name`). ```ruby |