diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7ed8bcc9..a9fc33ab 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -153,6 +153,11 @@ class ApplicationController < ActionController::Base end end + def set_content_type_nosniff + # When sending a file, we want to ensure that browsers follow our Content-Type header + response.headers['X-Content-Type-Options'] = 'nosniff' + end + def switch_locale(&) session[:locale] = sanitize_locale(params[:custom_locale] || params[:locale] || session[:locale]) locale = session[:locale] || http_accept_language.compatible_language_from(I18n.available_locales) || I18n.default_locale diff --git a/app/controllers/code_ocean/files_controller.rb b/app/controllers/code_ocean/files_controller.rb index 69151722..82cfea72 100644 --- a/app/controllers/code_ocean/files_controller.rb +++ b/app/controllers/code_ocean/files_controller.rb @@ -5,6 +5,7 @@ module CodeOcean include CommonBehavior include FileParameters + before_action :set_content_type_nosniff # Overwrite the CSP header and some default actions for the :render_protected_upload action content_security_policy false, only: :render_protected_upload skip_before_action :deny_access_from_render_host, only: :render_protected_upload diff --git a/app/controllers/live_streams_controller.rb b/app/controllers/live_streams_controller.rb index 2040e663..6f0d0a6d 100644 --- a/app/controllers/live_streams_controller.rb +++ b/app/controllers/live_streams_controller.rb @@ -4,6 +4,7 @@ class LiveStreamsController < ApplicationController # Including ActionController::Live changes all actions in this controller! # Therefore, it is extracted into a separate controller include ActionController::Live + before_action :set_content_type_nosniff skip_before_action :deny_access_from_render_host, only: :download_submission_file skip_before_action :verify_authenticity_token, only: :download_submission_file diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb index b0b41a7e..c243db3b 100644 --- a/app/controllers/submissions_controller.rb +++ b/app/controllers/submissions_controller.rb @@ -463,11 +463,6 @@ class SubmissionsController < ApplicationController @files = @submission.collect_files.select(&:visible) end - def set_content_type_nosniff - # When sending a file, we want to ensure that browsers follow our Content-Type header - response.headers['X-Content-Type-Options'] = 'nosniff' - end - def set_submission @submission = Submission.find(params[:id]) authorize!