discourse/lib/middleware/enforce_hostname.rb
David Taylor 19814c5e81
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180)
- Define the CSP based on the requested domain / scheme (respecting force_https)
- Update EnforceHostname middleware to allow secondary domains, add specs
- Add URL scheme to anon cache key so that CSP headers are cached correctly
2020-03-19 19:54:42 +00:00

26 lines
812 B
Ruby

# frozen_string_literal: true
module Middleware
class EnforceHostname
def initialize(app, settings = nil)
@app = app
end
def call(env)
# enforces hostname to match the hostname of our connection
# this middleware lives after rails multisite so at this point
# Discourse.current_hostname MUST be canonical, enforce it so
# all Rails helpers are guarenteed to use it unconditionally and
# never generate incorrect links
env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil
allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames
requested_hostname = env[Rack::HTTP_HOST]
env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } || Discourse.current_hostname
@app.call(env)
end
end
end