FEATURE: Support for a whitelist for embeddable host paths

2025-05-22 04:31:10 +08:00 · 2016-08-23 14:55:52 -04:00
parent 43a3210c20
commit c3a3aff120
12 changed files with 51 additions and 31 deletions
--- a/app/controllers/embed_controller.rb
+++ b/app/controllers/embed_controller.rb
@ -85,7 +85,7 @@ class EmbedController < ApplicationController
    def ensure_embeddable

      if !(Rails.env.development? && current_user.try(:admin?))
-        raise Discourse::InvalidAccess.new('invalid referer host') unless EmbeddableHost.host_allowed?(request.referer)
+        raise Discourse::InvalidAccess.new('invalid referer host') unless EmbeddableHost.url_allowed?(request.referer)
      end

      response.headers['X-Frame-Options'] = "ALLOWALL"