diff options
author | Claire <claire.github-309c@sitedethib.com> | 2023-10-23 14:27:07 +0200 |
---|---|---|
committer | Claire <claire.github-309c@sitedethib.com> | 2023-12-04 15:27:44 +0100 |
commit | d4e0a12b27aa01012c50ac7f0d4ba26085258990 (patch) | |
tree | aebaac3c2f731ecb6c6af54e79a0e26d7672944a | |
parent | db59d8486bd12f7d32dd9785cbf2daf9115d0e16 (diff) |
Change Content-Security-Policy to be tighter on media paths (#26889)
-rw-r--r-- | config/initializers/content_security_policy.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 12fa64d6e93..c980b948ab7 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -3,7 +3,11 @@ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy def host_to_url(str) - "http#{Rails.configuration.x.use_https ? 's' : ''}://#{str.split('/').first}" if str.present? + return if str.blank? + + uri = Addressable::URI.parse("http#{Rails.configuration.x.use_https ? 's' : ''}://#{str}") + uri.path += '/' unless uri.path.blank? || uri.path.end_with?('/') + uri.to_s end base_host = Rails.configuration.x.web_domain |