Merged r15856 (#23376).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@15877 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 17 insertions, 0 deletions

diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb
index ea45397ef..ec7cb7936 100644
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -22,6 +22,10 @@ class AttachmentsController < ApplicationController
   before_filter :delete_authorize, :only => :destroy
   before_filter :authorize_global, :only => :upload
 
+  # Disable check for same origin requests for JS files, i.e. attachments with
+  # MIME type text/javascript.
+  skip_after_filter :verify_same_origin_request, :only => :download
+
   accept_api_auth :show, :download, :thumbnail, :upload, :destroy
 
   def show
diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb
index 5d3387975..c8bf99644 100644
--- a/test/functional/attachments_controller_test.rb
+++ b/test/functional/attachments_controller_test.rb
@@ -258,6 +258,19 @@ class AttachmentsControllerTest < ActionController::TestCase
     set_tmp_attachments_directory
   end
 
+  def test_download_js_file
+    set_tmp_attachments_directory
+    attachment = Attachment.create!(
+      :file => mock_file_with_options(:original_filename => "hello.js", :content_type => "text/javascript"),
+      :author_id => 2,
+      :container => Issue.find(1)
+    )
+
+    get :download, :id => attachment.id
+    assert_response :success
+    assert_equal 'text/javascript', @response.content_type
+  end
+
   def test_download_version_file_with_issue_tracking_disabled
     Project.find(1).disable_module! :issue_tracking
     get :download, :id => 9