I am getting exactly the same error as this question i.e I can upload js files after allowing it in the settings but when I try to download it, the url in the browser changes to the js file url and " The change you wanted was rejected." is displayed.
Environment:-
Discourse docker running behind Nginx (nginx is using SSL)
Discourse container logs:-
Started GET "p5ePkm5OoKveknnMjyArlS4PPwS.js" for 192.168.32.1 at 2021-02-22 05:48:52 +0000
Processing by UploadsController#show_short as JS
Parameters: {"base62"=>"p5ePkm5OoKveknnMjyArlS4PPwS", "extension"=>"js"}
Sent file afcdf626f9db8d54a1fb5e8ebcab0ea214d9226a.js (2.2ms)
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
Completed 422 Unprocessable Entity in 59ms (ActiveRecord: 0.0ms | Allocations: 17414)
ActionController::InvalidCrossOriginRequest (Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.)
/opt/bitnami/discourse/vendor/bundle/ruby/2.6.0/gems/actionpack-6.0.3.1/lib/action_controller/metal/request_forgery_protection.rb:266:in `verify_same_origin_request'
Nginx logs:-
10.164.0.103 - - [22/Feb/2021:05:51:11 +0000] "GET /uploads/short-url/p5ePkm5OoKveknnMjyArlS4PPwS.js HTTP/2.0" 422 781 "getting-started-with-sftp-module/292" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"
``
Any help or pointers is appreciated!
Are you allowing *.js files to be attached to posts by users? Do you have legitimate need for javascript file attachments by your users? Just want to absolutely confirm before we proceed any further.
Hi All! I’m having the same issue. We’ve allowed .js extension to be uploaded, but no one can download it. Haven’t found yet any setting to fix this. Anyone can help?
Although, now we copy and paste the code in the text section of the post.
Use case: We have a .js file with a kickstarter code or a solution to a recurring problem and we want to share it as an attachment, so that users can download and start using it in their projects.
However, if we change the file extension from .js to .txt, it again shows “The change you wanted was rejected.” (This may be due to some storage optimization on the backend, that if the file has the same content as a previous file, then the new attachment points to the previously uploaded file)
So, I changed the (.txt) extention js file’s content a little bit and uploaded again, and I was able to download the file as attachment.
@codinghorror Is there a security risk in allowing to download .js files?
It works for uploads on S3 and it should work with local uploads as well, but there seems to be a new(ish) security measure from Rails:
ActionController::InvalidCrossOriginRequest (Security warning: an embedded tag on another site requested protected JavaScript. If you know what you’re doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.)
Started GET "/uploads/short-url/qDlrltMxEIJ2aYYdt8lZ200E3wA.js" for 94.31.111.247 at 2025-07-09 05:53:30 +0000
Processing by UploadsController#show_short as JS
Parameters: {"base62"=>"qDlrltMxEIJ2aYYdt8lZ200E3wA", "extension"=>"js"}
Sent file /var/www/discourse/public/uploads/default/original/1X/baab1fc131be960b601467333f5a690b257daeb0.js (0.3ms)
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
Completed 422 Unprocessable Entity in 17ms (ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.0ms)
js files are in the list of allowed upload extensions:
Same problem here. We have js files that run in our own software, nothing that would ever do anything in a browser.
We managed to fix the discourse download problem by moving all uploads to an S3 bucket and setting s3_use_cdn_url_for_all_uploads to true. This essentially bypasses the short-url controller which appears to be the show stopper for js files.
In detail (from my AI which walked me through this):
Set up S3-Compatible Storage (e.g., Cloudflare R2)
Discourse cannot safely serve .js files from the local disk. Move them to a bucket.
Bucket: Create a private bucket (e.g., my-discourse-bucket).
API Keys: Generate an Access Key and Secret Key.
2. Configure a Custom CDN Domain
In Cloudflare (or your provider), connect a custom domain to your bucket (e.g., cdn.example.com). This ensures files are served as static assets via a direct URL, bypassing the Discourse “security guard.”
3. Update Discourse Settings
In Admin → Settings, configure your S3 details. Crucially, enable the following to ensure Discourse doesn’t try to “sign” the URLs with temporary headers that can break:
s3_use_cdn_url_for_all_uploads: Check this box (This is the most important step).
s3_cdn_url: Set to https://cdn.example.com.
s3_region: Use us-east-1 (for R2 compatibility).
4. Migrate Existing Uploads (optional)
Note: This did NOT work for us for unknown reasons.
To fix old links in existing posts, enter your container and run:
Bash
# Inside /var/discourse
./launcher enter app
rake uploads:migrate_to_s3
rake posts:rebake
