diff options
| author | Claire <claire.github-309c@sitedethib.com> | 2023-10-23 14:27:07 +0200 |
|---|---|---|
| committer | Claire <claire.github-309c@sitedethib.com> | 2023-12-04 15:28:02 +0100 |
| commit | 78e457614cae328f73555f11d77dc4cf341019b1 (patch) | |
| tree | 315d856eb13c39ce9531a857217ca8e5914b5d46 | |
| parent | 1e896e99d2b85968eaee87b601bd04b8cf0f35bc (diff) | |
Change Content-Security-Policy to be tighter on media paths (#26889)
| -rw-r--r-- | config/initializers/content_security_policy.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index ccce6d71eb7..d863fa6d448 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -3,7 +3,11 @@ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy def host_to_url(str) - "http#{Rails.configuration.x.use_https ? 's' : ''}://#{str.split('/').first}" if str.present? + return if str.blank? + + uri = Addressable::URI.parse("http#{Rails.configuration.x.use_https ? 's' : ''}://#{str}") + uri.path += '/' unless uri.path.blank? || uri.path.end_with?('/') + uri.to_s end base_host = Rails.configuration.x.web_domain |