mirror of
https://github.com/discourse/discourse.git
synced 2024-11-28 06:43:45 +08:00
8e3691d537
Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
37 lines
1.1 KiB
Ruby
37 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
require_dependency 'content_security_policy'
|
|
|
|
class ContentSecurityPolicy
|
|
class Middleware
|
|
def initialize(app)
|
|
@app = app
|
|
end
|
|
|
|
def call(env)
|
|
request = Rack::Request.new(env)
|
|
_, headers, _ = response = @app.call(env)
|
|
|
|
return response unless html_response?(headers)
|
|
|
|
# The EnforceHostname middleware ensures request.host_with_port can be trusted
|
|
protocol = (SiteSetting.force_https || request.ssl?) ? "https://" : "http://"
|
|
base_url = protocol + request.host_with_port + Discourse.base_path
|
|
|
|
theme_id = env[:resolved_theme_id]
|
|
|
|
headers['Content-Security-Policy'] = policy(theme_id, base_url: base_url, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy
|
|
headers['Content-Security-Policy-Report-Only'] = policy(theme_id, base_url: base_url, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy_report_only
|
|
|
|
response
|
|
end
|
|
|
|
private
|
|
|
|
delegate :policy, to: :ContentSecurityPolicy
|
|
|
|
def html_response?(headers)
|
|
headers['Content-Type'] && headers['Content-Type'] =~ /html/
|
|
end
|
|
end
|
|
end
|