[RUBY] Rails 5.2 allows IE to open directly without saving the link

If you are wondering if the link that sends_data PDF with rails is only a save option in IE11 Changes to the Rails 5.2 release notes https://railsguides.jp/5_2_release_notes.html It was in.

Added secure X-Download-Options and X-Permitted-Cross-Domain-Policies to the default header set. (Commit)

By default, I think that the intention is not to open the vulnerable file in the application suddenly, but while all the browsers I tried are through, only IE11 is in a state of "only saving" Isn't it surprising? (May be misunderstood)

So if you want to open it directly in IE11, for example, like this.

        response.headers["X-Download-Options"] = nil (if ...Risk tolerance...)
        send_file(file_path,:filename => filename,:type=>content_type,:disposition=>'inline')

If it is applied to the entire site, it may be possible with config. → You gave us an example of how to deal with it in the comments.

cinfig/application.rb


config.action_dispatch.default_headers.delete('X-Download-Options')

Recommended Posts

Rails 5.2 allows IE to open directly without saving the link
Add an icon to the header link using Rails fontawesome
I want to introduce the committee with Rails without getting too dirty
[Rails] How to use the map method
The process of introducing Vuetify to Rails