From 982f23e1f21b22840286504f9c28e81a61a28565 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Wed, 1 Dec 2021 16:02:45 +0000
Subject: [PATCH] SECURITY: Remove ember-cli specific response from application
 routes (stable) (#15154)

Under some conditions, these varied responses could lead to cache poisoning, hence the 'security' label.

For the stable branch, we are disabling the use of Ember CLI against production sites. A new implementation has been added to the tests-passed/beta branches
---
 app/helpers/application_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 17092306ab2..a91336e945b 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -596,7 +596,7 @@ module ApplicationHelper
   end
 
   def hijack_if_ember_cli!
-    if request.headers["HTTP_X_DISCOURSE_EMBER_CLI"] == "true"
+    if !Rails.env.production? && request.headers["HTTP_X_DISCOURSE_EMBER_CLI"] == "true"
       raise ApplicationController::EmberCLIHijacked.new
     end
   end