Fix CSRF error when Origin header is null
What does this MR do and why?
In !70577 (merged), we load Rails 6.1 defaults then override the ones we haven't adopted in an initializer.
Overriding in an initializer is too late because the config values are already used and copied to some classes like ActionController::Base
.
This moves the overrides to application.rb
right after we call load_defaults
.
Related to #345765 (closed)
How to set up and validate locally
Before:
[1] pry(main)> Rails.application.config.action_controller.forgery_protection_origin_check
=> false
[2] pry(main)> ActionController::Base.forgery_protection_origin_check
=> true
After:
[1] pry(main)> ActionController::Base.forgery_protection_origin_check
=> false
[2] pry(main)> Rails.application.config.action_controller.forgery_protection_origin_check
=> false
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Heinrich Lee Yu