mirror of
https://github.com/discourse/discourse.git
synced 2025-06-19 22:23:04 +08:00
27227c9ece
Previously we would check the request for a matching CDN hostname before applying the `Access-Control-Allow-Origin` header. That logic requires the CDN to include its public-facing hostname in the `Host` header, which is not always the case. Since we are only running this `apply_cdn_headers` before_action on publicly-accessible asset routes, we can simplify things so that the `Access-Control-Allow-Origin: *` header is always included. That will make CDN config requirements much more relaxed. At the moment, this is primarily relevant to the HighlightJsController routes, which are loaded using native JS `type=module`. But in the near future, we plan to expand our use of `type=module` to more critical JS assets like translations and themes. Also drops the `Access-Control-Allow-Methods` header from these responses. That isn't needed for `GET` and `HEAD` requests.
27 lines
830 B
Ruby
27 lines
830 B
Ruby
# frozen_string_literal: true
|
|
|
|
module Middleware
|
|
class EnforceHostname
|
|
def initialize(app, settings = nil)
|
|
@app = app
|
|
end
|
|
|
|
def call(env)
|
|
# enforces hostname to match the hostname of our connection
|
|
# this middleware lives after rails multisite so at this point
|
|
# Discourse.current_hostname MUST be canonical, enforce it so
|
|
# all Rails helpers are guaranteed to use it unconditionally and
|
|
# never generate incorrect links
|
|
env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil
|
|
|
|
allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames
|
|
requested_hostname = env[Rack::HTTP_HOST]
|
|
|
|
env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } ||
|
|
Discourse.current_hostname_with_port
|
|
|
|
@app.call(env)
|
|
end
|
|
end
|
|
end
|