DEV: More robust referrer host parsing (#27534)

2025-05-28 13:51:18 +08:00 · 2024-06-19 16:30:40 +08:00
parent 9cc030fe8d
commit 9468e0c0f2
2 changed files with 14 additions and 6 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1008,10 +1008,13 @@ class ApplicationController < ActionController::Base
  end

  def set_cross_origin_opener_policy_header
-    response.headers["Cross-Origin-Opener-Policy"] = if SiteSetting
-         .cross_origin_opener_unsafe_none_referrers
-         .split("|")
-         .include?(request.referrer&.split("://")&.last)
+    response.headers[
+      "Cross-Origin-Opener-Policy"
+    ] = if SiteSetting.cross_origin_opener_unsafe_none_referrers.present? &&
+         SiteSetting
+           .cross_origin_opener_unsafe_none_referrers
+           .split("|")
+           .include?(UrlHelper.relaxed_parse(request.referrer.to_s)&.host)
      "unsafe-none"
    else
      SiteSetting.cross_origin_opener_policy_header