Change Content-Security-Policy to be tighter on media paths (#26889)

author: Claire <claire.github-309c@sitedethib.com> 2023-10-23 14:27:07 +0200
committer: Claire <claire.github-309c@sitedethib.com> 2023-12-04 15:27:44 +0100
commit: d4e0a12b27aa01012c50ac7f0d4ba26085258990 (patch)
tree: aebaac3c2f731ecb6c6af54e79a0e26d7672944a
parent: db59d8486bd12f7d32dd9785cbf2daf9115d0e16 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 12fa64d6e93..c980b948ab7 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -3,7 +3,11 @@
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
 def host_to_url(str)
-  "http#{Rails.configuration.x.use_https ? 's' : ''}://#{str.split('/').first}" if str.present?
+  return if str.blank?
+
+  uri = Addressable::URI.parse("http#{Rails.configuration.x.use_https ? 's' : ''}://#{str}")
+  uri.path += '/' unless uri.path.blank? || uri.path.end_with?('/')
+  uri.to_s
 end
 
 base_host = Rails.configuration.x.web_domain
author	Claire <claire.github-309c@sitedethib.com>	2023-10-23 14:27:07 +0200
committer	Claire <claire.github-309c@sitedethib.com>	2023-12-04 15:27:44 +0100
commit	d4e0a12b27aa01012c50ac7f0d4ba26085258990 (patch)
tree	aebaac3c2f731ecb6c6af54e79a0e26d7672944a
parent	db59d8486bd12f7d32dd9785cbf2daf9115d0e16 (diff)