Change Content-Security-Policy to be tighter on media paths (#26889)

2023-10-23 14:27:07 +02:00 · 2023-10-23 14:27:07 +02:00 · 78e457614c
parent 1e896e99d2
commit 78e457614c
1 changed files with 5 additions and 1 deletions
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@ -3,7 +3,11 @@
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

 def host_to_url(str)
-  "http#{Rails.configuration.x.use_https ? 's' : ''}://#{str.split('/').first}" if str.present?
+  return if str.blank?
+
+  uri = Addressable::URI.parse("http#{Rails.configuration.x.use_https ? 's' : ''}://#{str}")
+  uri.path += '/' unless uri.path.blank? || uri.path.end_with?('/')
+  uri.to_s
 end

 base_host = Rails.configuration.x.web_domain