mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 18:43:38 +08:00
c8d438cc63
The QUnit rake task starts a server in test mode. We need a tweak to allow dynamic CSP hostnames in test mode. This tweak is already present in development mode. To allow CSP to work, the browser host/port must match what the server sees. Therefore we need to disable the enforce_hostname middleware in test mode. To keep rspec and production as similar as possible, we skip enforce_hostname using an environment variable. Also move the qunit rake task to use unicorn, for consistency with development and production.
34 lines
952 B
Ruby
34 lines
952 B
Ruby
# frozen_string_literal: true
|
|
require_dependency 'content_security_policy'
|
|
|
|
class ContentSecurityPolicy
|
|
class Middleware
|
|
def initialize(app)
|
|
@app = app
|
|
end
|
|
|
|
def call(env)
|
|
request = Rack::Request.new(env)
|
|
_, headers, _ = response = @app.call(env)
|
|
|
|
return response unless html_response?(headers)
|
|
ContentSecurityPolicy.base_url = request.host_with_port if !Rails.env.production?
|
|
|
|
theme_ids = env[:resolved_theme_ids]
|
|
|
|
headers['Content-Security-Policy'] = policy(theme_ids, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy
|
|
headers['Content-Security-Policy-Report-Only'] = policy(theme_ids, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy_report_only
|
|
|
|
response
|
|
end
|
|
|
|
private
|
|
|
|
delegate :policy, to: :ContentSecurityPolicy
|
|
|
|
def html_response?(headers)
|
|
headers['Content-Type'] && headers['Content-Type'] =~ /html/
|
|
end
|
|
end
|
|
end
|