| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows activestorage users to ship smaller javascript bundles to
visitors using modern browsers, as demonstrated in this repository:
https://github.com/rmacklin/activestorage-es2015-build-example
In that example, the bundle shrinks by 5K (24%).
In addition to allowing smaller bundles for those who ship untranspiled
code to modern browsers, including the source code in the published
package can be useful in other ways:
1. Users can import individual modules rather than the whole library
2. As a result of (1), users can also monkey patch parts of
activestorage by importing the relevant module, modifying the
exported object, and then importing the rest of activestorage (which
would then use the patched object).
Note:
In order to allow the source code to be depended on rather than the
compiled code, we have to declare the external dependency on spark-md5
as a regular dependency, not a development dependency.
This means that even users who depend on the compiled code will have to
download this package. However, spark-md5 is a small package, so this
tradeoff seems worth it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In this way we avoid HTML, XML, SVG and other files that can be rendered
by the browser to be served inline by default. Depending on the origin
from where these files are served, this might lead to XSS
vulnerabilities, and in the best case, to more realistic phishing
attacks and open redirects.
We force it rather than falling back to it when other disposition is not
provided. Otherwise it would be possible for someone to force inline
just by passing `disposition=inline` in the URL.
The list of content types to be served as attachments is configurable.
|
