github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-24 03:36:18 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180)

Browse Source 
- Define the CSP based on the requested domain / scheme (respecting force_https)
- Update EnforceHostname middleware to allow secondary domains, add specs
- Add URL scheme to anon cache key so that CSP headers are cached correctly
This commit is contained in:
David Taylor
2020-03-19 19:54:42 +00:00
committed by GitHub
parent e9a3639b10
commit 19814c5e81
10 changed files with 122 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/middleware/anonymous_cache.rb
View File

@ -107,7 +107,7 @@ module Middleware
def cache_key
return @cache_key if defined?(@cache_key)
@cache_key = +"ANON_CACHE_#{@env["HTTP_ACCEPT"]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}"
@cache_key = +"ANON_CACHE_#{@env["HTTP_ACCEPT"]}_#{@env[Rack::RACK_URL_SCHEME]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}"
@cache_key << AnonymousCache.build_cache_key(self)
@cache_key
end

7
lib/middleware/enforce_hostname.rb
View File

@ -13,7 +13,12 @@ module Middleware
# all Rails helpers are guarenteed to use it unconditionally and
# never generate incorrect links
env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil
env[Rack::HTTP_HOST] = Discourse.current_hostname
allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames
requested_hostname = env[Rack::HTTP_HOST]
env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } || Discourse.current_hostname
@app.call(env)
end
end