Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rails 4 redirects to 'data:,' in Chrome

There is a weird behavior in Google Chrome, which is also described in this question: rails redirects to 'data:,'

When a new resource is being created and my controller redirects to the show action, chrome initiates loading of a blank page with 'data:,' in the address bar. The reply of the author who asked the above mentioned question is the following:

This is a security feature, the HTML content of the new page matches the HTML content of the submitted form, which Chrome blocks.

However no explanation of how to fix it followed. The behavior is only present in Chrome browser.

like image 714
snitko Avatar asked Oct 01 '13 00:10

snitko


1 Answers

I've been googling it and found that editing posts with an iframe in Rails 4.0 causes a redirect to "data:,"

Rails 4 now sets the X-XSS-Protection header for all requests, so the iframe trips up the XSS protection in Chrome after a form submit. (https://github.com/elektronaut/sugar/issues/41#issuecomment-25987368)

Solution, add it to your controller:

before_filter :disable_xss_protection

protected
def disable_xss_protection
  # Disabling this is probably not a good idea,
  # but the header causes Chrome to choke when being
  # redirected back after a submit and the page contains an iframe.
  response.headers['X-XSS-Protection'] = "0"
end
like image 138
talski Avatar answered Sep 20 '22 21:09

talski