Merge pull request #5042 from betagouv/attempt-to-fix-invalid-auth-tokens

Tentative de correction des erreurs ActionController::InvalidAuthenticityToken à l'upload
This commit is contained in:
Pierre de La Morinerie 2020-04-15 09:00:13 +02:00 committed by GitHub
commit ebfa294755
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 6 deletions

View file

@ -1,7 +1,7 @@
%ul.footer-row.footer-bottom-line.footer-site-links %ul.footer-row.footer-bottom-line.footer-site-links
%li>= link_to "Accessibilité", accessibilite_path %li.footer-link-accessibilite>= link_to "Accessibilité", accessibilite_path
%li>= link_to "CGU", CGU_URL, target: "_blank", rel: "noopener noreferrer" %li.footer-link-cgu>= link_to "CGU", CGU_URL, target: "_blank", rel: "noopener noreferrer"
%li>= link_to "Mentions légales", MENTIONS_LEGALES_URL, target: "_blank", rel: "noopener noreferrer" %li.footer-link-mentions-legales>= link_to "Mentions légales", MENTIONS_LEGALES_URL, target: "_blank", rel: "noopener noreferrer"
%li>= link_to 'Documentation', DOC_URL %li.footer-link-doc>= link_to 'Documentation', DOC_URL
%li>= contact_link "Contact technique", dossier_id: dossier&.id %li.footer-link-contact>= contact_link "Contact technique", dossier_id: dossier&.id
%li>= link_to 'Aide', FAQ_URL %li.footer-link-aide>= link_to 'Aide', FAQ_URL

View file

@ -35,6 +35,18 @@ module TPS
config.action_view.sanitized_allowed_tags = ActionView::Base.sanitized_allowed_tags + ['u'] config.action_view.sanitized_allowed_tags = ActionView::Base.sanitized_allowed_tags + ['u']
# Some mobile browsers have a behaviour where, although they will delete the session
# cookie when the browser shutdowns, they will still serve a cached version
# of the page on relaunch.
# The CSRF token in the HTML is then mismatched with the CSRF token in the session cookie
# (because the session cookie has been cleared). This causes form submissions to fail with
# a "ActionController::InvalidAuthenticityToken" exception.
# To prevent this, tell browsers to never cache the HTML of a page.
# (This doesnt affect assets files, which are still sent with the proper cache headers).
#
# See https://github.com/rails/rails/issues/21948
config.action_dispatch.default_headers['Cache-Control'] = 'no-store, no-cache'
config.to_prepare do config.to_prepare do
# Make main application helpers available in administrate # Make main application helpers available in administrate
Administrate::ApplicationController.helper(TPS::Application.helpers) Administrate::ApplicationController.helper(TPS::Application.helpers)