mirror of
https://github.com/discourse/discourse.git
synced 2024-11-30 14:46:18 +08:00
19814c5e81
- Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly
26 lines
812 B
Ruby
26 lines
812 B
Ruby
# frozen_string_literal: true
|
|
|
|
module Middleware
|
|
class EnforceHostname
|
|
def initialize(app, settings = nil)
|
|
@app = app
|
|
end
|
|
|
|
def call(env)
|
|
# enforces hostname to match the hostname of our connection
|
|
# this middleware lives after rails multisite so at this point
|
|
# Discourse.current_hostname MUST be canonical, enforce it so
|
|
# all Rails helpers are guarenteed to use it unconditionally and
|
|
# never generate incorrect links
|
|
env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil
|
|
|
|
allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames
|
|
requested_hostname = env[Rack::HTTP_HOST]
|
|
|
|
env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } || Discourse.current_hostname
|
|
|
|
@app.call(env)
|
|
end
|
|
end
|
|
end
|