SECURITY: Remove ember-cli specific response from application routes (#15155)

Under some conditions, these varied responses could lead to cache poisoning, hence the 'security' label. Previously the Rails application would serve JSON data in place of HTML whenever Ember CLI requested an `application.html.erb`-rendered page. This commit removes that logic, and instead parses the HTML out of the standard response. This means that Rails doesn't need to customize its response for Ember CLI.
2021-12-01 16:10:40 +00:00
parent f37375f582
commit 1fa7a87f86
11 changed files with 265 additions and 77 deletions
@@ -25,6 +25,9 @@ module.exports = function (defaults) {
      // This forces the use of `fast-sourcemap-concat` which works in production.
      enabled: true,
    },
+    autoImport: {
+      forbidEval: true,
+    },
  });

  // Ember CLI does this by default for the app tree, but for our extra bundles we