github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-31 08:17:56 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180)

Browse Source 
- Define the CSP based on the requested domain / scheme (respecting force_https)
- Update EnforceHostname middleware to allow secondary domains, add specs
- Add URL scheme to anon cache key so that CSP headers are cached correctly
This commit is contained in:
David Taylor
2020-03-19 19:54:42 +00:00
committed by GitHub
parent e9a3639b10
commit 19814c5e81
10 changed files with 122 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/content_security_policy/middleware.rb
View File

@ -12,12 +12,15 @@ class ContentSecurityPolicy
_, headers, _ = response = @app.call(env)
return response unless html_response?(headers)
ContentSecurityPolicy.base_url = request.host_with_port if !Rails.env.production?
# The EnforceHostname middleware ensures request.host_with_port can be trusted
protocol = (SiteSetting.force_https || request.ssl?) ? "https://" : "http://"
base_url = protocol + request.host_with_port + Discourse.base_uri
theme_ids = env[:resolved_theme_ids]
headers['Content-Security-Policy'] = policy(theme_ids, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy(theme_ids, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy_report_only
headers['Content-Security-Policy'] = policy(theme_ids, base_url: base_url, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy(theme_ids, base_url: base_url, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy_report_only
response
end