diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb
index 618ed5f7..d57ff6a3 100644
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@@ -15,8 +15,9 @@ class SubmissionsController < ApplicationController
   # Overwrite the CSP header and some default actions for the :render_file action
   content_security_policy false, only: :render_file
   skip_before_action :deny_access_from_render_host, only: :render_file
-  skip_before_action :verify_authenticity_token, only: :render_file
   before_action :require_user!, except: :render_file
+  # We want to serve .js files without raising a `ActionController::InvalidCrossOriginRequest` exception
+  skip_before_action :verify_authenticity_token, only: %i[render_file download_file]
 
   def create
     @submission = Submission.new(submission_params)