R1:37b93f426225
R1:37b93f426225
Don't require POST to download LFS files from main domain
Summary:
Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET.
This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.
Allow them to be served over GET if the client is Git…
Summary:
Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET.
This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.
Allow them to be served over GET if the client is Git…
Repository: R1 hydra
Commit Date: Apr 7 2016