From 6179c95e13895bbae4315a5a850d83d8fdd12ab9 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike@37signals.com>
Date: Fri, 21 Nov 2025 22:11:32 -0500
Subject: [PATCH] Move browser check to the sessions controller

The check is unnecessary once users have logged in, and its presence
on some unauthenticated pages is blocking things like:

- image proxy requests for user avatars (emails)
- opengraph requests for public pages (social media)

ref: https://app.fizzy.do/5986089/cards/1775
ref: https://app.fizzy.do/5986089/cards/1740
---
 app/controllers/application_controller.rb | 1 -
 app/controllers/sessions_controller.rb    | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index de3bd535ab..08fea512fc 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -8,5 +8,4 @@ class ApplicationController < ActionController::Base
 
   etag { "v1" }
   stale_when_importmap_changes
-  allow_browser versions: :modern
 end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 8c623b6ef0..bdc8a4e023 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,4 +1,6 @@
 class SessionsController < ApplicationController
+  allow_browser versions: :modern
+
   # FIXME: Remove this before launch!
   unless Rails.env.local?
     http_basic_authenticate_with \