Merge branch 'sh-fix-cross-site-origin-uploads-js' into 'master'

Fix cross-origin errors when attempting to download JavaScript attachments

Closes #45826

See merge request gitlab-org/gitlab-ce!18936

app/controllers/concerns/send_file_upload.rb

@@ -2,6 +2,10 @@ module SendFileUpload
   def send_upload(file_upload, send_params: {}, redirect_params: {}, attachment: nil, disposition: 'attachment')
     if attachment
       redirect_params[:query] = { "response-content-disposition" => "#{disposition};filename=#{attachment.inspect}" }
+      # By default, Rails will send uploads with an extension of .js with a
+      # content-type of text/javascript, which will trigger Rails'
+      # cross-origin JavaScript protection.
+      send_params[:content_type] = 'text/plain' if File.extname(attachment) == '.js'
       send_params.merge!(filename: attachment, disposition: disposition)
     end
 

changelogs/unreleased/sh-fix-cross-site-origin-uploads-js.yml

+---
+title: Fix cross-origin errors when attempting to download JavaScript attachments
+merge_request:
+author:
+type: fixed

spec/controllers/concerns/send_file_upload_spec.rb

@@ -51,6 +51,21 @@ describe SendFileUpload do
       end
     end
 
+    context 'with attachment' do
+      subject { controller.send_upload(uploader, attachment: 'test.js') }
+
+      it 'sends a file with content-type of text/plain' do
+        expected_params = {
+          content_type: 'text/plain',
+          filename: 'test.js',
+          disposition: 'attachment'
+        }
+        expect(controller).to receive(:send_file).with(uploader.path, expected_params)
+
+        subject
+      end
+    end
+
     context 'when remote file is used' do
       before do
         stub_uploads_object_storage(uploader: uploader_class)