Patch #39894
closed
Explicitly render a 404 on non-JS requests to watchers#new
0%
Description
The "Add watcher" button in the sidebar of issues is a javascript-ified link. Sometimes, crawlers hit this raw link and request non-JS data.
This currently results in the rendering JS template. However, the response is eventually blocked by ActionController::RequestForgeryProtection#verify_same_origin_request which is run as an after_action. This method then throws an ActionController::InvalidCrossOriginRequest error and denies sending the rendered data to the client to avoid sending an unauthorized cross-origin response.
This exception is then later handled by the ActionDispatch::ExceptionWrapper middleware which in turn send an empty 406 response.
The attached patch fixes this behavior by explicitly sending a 404 response when the (default) html format was requested for the watchers#new action. This hopefully keeps strange crawlers from further crawling this link...
Files
Related issues
Updated by Marius BĂLTEANU 11 months ago
- Has duplicate Defect #30489: Internal server error when click middle mouse button link add watcher added
Updated by Marius BĂLTEANU 11 months ago
- Category set to Code cleanup/refactoring
- Status changed from New to Resolved
Committed with a test!
Updated by Go MAEDA 11 months ago
- Related to Patch #39999: Explicitly render a 404 on non-JS requests to messages#quote added