From 87b95356f71d33f42610f3ba50ee255cb8550565 Mon Sep 17 00:00:00 2001
From: Bianca Nenciu <nenciu.bianca@gmail.com>
Date: Tue, 17 Jan 2023 16:29:38 +0200
Subject: [PATCH] SECURITY: Remove bypass for base_url

The check used to be necessary because we validated the referrer too and
this bypass was a workaround a bug that is present in some browsers that
do not send the correct referrer.
---
 app/models/embeddable_host.rb       | 3 ---
 spec/models/embeddable_host_spec.rb | 4 ++--
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/app/models/embeddable_host.rb b/app/models/embeddable_host.rb
index b9c63aff5b3..b271d37b025 100644
--- a/app/models/embeddable_host.rb
+++ b/app/models/embeddable_host.rb
@@ -45,9 +45,6 @@ class EmbeddableHost < ActiveRecord::Base
   def self.url_allowed?(url)
     return false if url.nil?
 
-    # Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
-    return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists?
-
     uri =
       begin
         URI(UrlHelper.normalized_encode(url))
diff --git a/spec/models/embeddable_host_spec.rb b/spec/models/embeddable_host_spec.rb
index 68871b9402d..a72c577be89 100644
--- a/spec/models/embeddable_host_spec.rb
+++ b/spec/models/embeddable_host_spec.rb
@@ -88,8 +88,8 @@ RSpec.describe EmbeddableHost do
       expect(EmbeddableHost.url_allowed?("http://discourse.org")).to eq(true)
     end
 
-    it "always allow forum own URL" do
-      expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(true)
+    it "does not allow forum own URL" do
+      expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(false)
     end
   end