From 60d978805a2d5870cda623be143f79218a401d97 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Tue, 21 Apr 2026 10:18:10 +0000 Subject: [PATCH 1/4] config: don't serve image blobs with Content-Disposition: inline --- lib/resources/config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/resources/config.js b/lib/resources/config.js index 27eeefff9..76b4613bc 100644 --- a/lib/resources/config.js +++ b/lib/resources/config.js @@ -63,7 +63,7 @@ module.exports = (service, endpoint, anonymousEndpoint) => { // Configs that store blobs const blob = await Blobs.getById(config.blobId).then(getOrNotFound); - return blobResponse(s3, key, blob, true); + return blobResponse(s3, key, blob); }; service.get('/config/public/:key', anonymousEndpoint(async (container, { params }) => { From 4474ff198abb80482b9f5841f49b95bbd19d3c5f Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Tue, 21 Apr 2026 10:25:32 +0000 Subject: [PATCH 2/4] update tests --- test/integration/api/config.js | 39 +++++++++++++++------------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/test/integration/api/config.js b/test/integration/api/config.js index 3ec88e2c8..17a666774 100644 --- a/test/integration/api/config.js +++ b/test/integration/api/config.js @@ -62,29 +62,24 @@ describe('api: /config', () => { }); })); - it('should inline select image types', testService(async (service) => { - const asAlice = await service.login('alice'); - - await asAlice.post('/v1/config/logo') - .set('Content-Type', 'image/jpeg') - .send('testimage') - .expect(200); - await asAlice.get('/v1/config/logo') - .expect(200) - .then(({ headers }) => { - headers['content-disposition'].should.startWith('inline'); - }); + [ + 'image/jpeg', + 'image/svg+xml', + ].forEach(mimeType => { + it(`should not inline image type: ${mimeType}`, testService(async (service) => { + const asAlice = await service.login('alice'); - await asAlice.post('/v1/config/logo') - .set('Content-Type', 'image/svg+xml') - .send('testimage2') - .expect(200); - await asAlice.get('/v1/config/logo') - .expect(200) - .then(({ headers }) => { - headers['content-disposition'].should.startWith('attachment'); - }); - })); + await asAlice.post('/v1/config/logo') + .set('Content-Type', mimeType) + .send('testimage') + .expect(200); + await asAlice.get('/v1/config/logo') + .expect(200) + .then(({ headers }) => { + headers['content-disposition'].should.startWith('attachment'); + }); + })); + }); }); it('should overwrite the existing config', testService((service) => From 817145965058847dfa94aefafe17d77e686c790c Mon Sep 17 00:00:00 2001 From: Alex Anderson <191496+alxndrsn@users.noreply.github.com> Date: Sat, 25 Apr 2026 12:06:48 +0300 Subject: [PATCH 3/4] Apply suggestion from @alxndrsn --- test/integration/api/config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/api/config.js b/test/integration/api/config.js index 17a666774..3cb462ce1 100644 --- a/test/integration/api/config.js +++ b/test/integration/api/config.js @@ -66,7 +66,7 @@ describe('api: /config', () => { 'image/jpeg', 'image/svg+xml', ].forEach(mimeType => { - it(`should not inline image type: ${mimeType}`, testService(async (service) => { + it(`should not set Content-Disposition: inline for mime type: ${mimeType}`, testService(async (service) => { const asAlice = await service.login('alice'); await asAlice.post('/v1/config/logo') From ce8e289bed4448b50a9bec7234f1c8292f7b9688 Mon Sep 17 00:00:00 2001 From: Alex Anderson <191496+alxndrsn@users.noreply.github.com> Date: Sat, 25 Apr 2026 12:07:42 +0300 Subject: [PATCH 4/4] Apply suggestion from @alxndrsn --- test/integration/api/config.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/integration/api/config.js b/test/integration/api/config.js index 3cb462ce1..5454f23c2 100644 --- a/test/integration/api/config.js +++ b/test/integration/api/config.js @@ -65,6 +65,8 @@ describe('api: /config', () => { [ 'image/jpeg', 'image/svg+xml', + 'text/html', + 'text/javascript', ].forEach(mimeType => { it(`should not set Content-Disposition: inline for mime type: ${mimeType}`, testService(async (service) => { const asAlice = await service.login('alice');