From b0088361a474575a4fcd3fbef77d9fa0286ef113 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Sat, 9 Jan 2021 13:52:53 +0000
Subject: [PATCH] FIX: Do not include URL query in auto-generated CSP header
 (#11673)

---
 lib/content_security_policy/extension.rb | 2 ++
 spec/lib/content_security_policy_spec.rb | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/lib/content_security_policy/extension.rb b/lib/content_security_policy/extension.rb
index 93eab088e41..c697f5186bb 100644
--- a/lib/content_security_policy/extension.rb
+++ b/lib/content_security_policy/extension.rb
@@ -70,6 +70,8 @@ class ContentSecurityPolicy
         next if uri.host.nil? # Ignore same-domain scripts (theme-javascripts)
         next if uri.path.nil? # Ignore raw hosts
 
+        uri.query = nil # CSP should not include query part of url
+
         uri_string = uri.to_s.sub(/^\/\//, '') # Protocol-less CSP should not have // at beginning of URL
 
         auto_script_src_extension[:script_src] << uri_string
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index 14b5c8f6587..f4a73c6bbc9 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -239,6 +239,7 @@ describe ContentSecurityPolicy do
 
       theme.set_field(target: :common, name: "header", value: <<~SCRIPT)
         <script src='https://example.com/myscript.js'></script>
+        <script src='https://example.com/myscript2.js?with=query'></script>
         <script src='//example2.com/protocol-less-script.js'></script>
         <script src='domain-only.com'></script>
         <script>console.log('inline script')</script>
@@ -248,6 +249,8 @@ describe ContentSecurityPolicy do
       theme.save!
 
       expect(parse(theme_policy)['script-src']).to include('https://example.com/myscript.js')
+      expect(parse(theme_policy)['script-src']).to include('https://example.com/myscript2.js')
+      expect(parse(theme_policy)['script-src']).not_to include('?')
       expect(parse(theme_policy)['script-src']).to include('example2.com/protocol-less-script.js')
       expect(parse(theme_policy)['script-src']).not_to include('domain-only.com')
       expect(parse(theme_policy)['script-src']).not_to include(a_string_matching /^\/theme-javascripts/)