From ccaefd139d33f2f0bf4d097131bcf91960bee956 Mon Sep 17 00:00:00 2001 From: Thibaut Girka Date: Thu, 6 Feb 2020 11:25:18 +0100 Subject: [PATCH] Add environment variable to specify extra data hosts Fixes #1276 --- .env.production.sample | 5 +++++ config/initializers/content_security_policy.rb | 2 ++ 2 files changed, 7 insertions(+) diff --git a/.env.production.sample b/.env.production.sample index f573a37def..a752298e89 100644 --- a/.env.production.sample +++ b/.env.production.sample @@ -89,6 +89,11 @@ SMTP_FROM_ADDRESS=notifications@example.com # Access-Control-Allow-Origin: https://example.com/ # CDN_HOST=https://assets.example.com +# Optional list of hosts that are allowed to serve media for your instance +# This is useful if you include external media in your custom CSS or about page, +# or if your data storage provider makes use of redirects to other domains. +# EXTRA_DATA_HOSTS=https://data.example1.com|https://data.example2.com + # S3 (optional) # The attachment host must allow cross origin request from WEB_DOMAIN or # LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 810aa2880d..269a7d1c9a 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -23,6 +23,8 @@ if Rails.env.production? data_hosts << "https://#{url.host}" end + data_hosts.concat(ENV['EXTRA_DATA_HOSTS'].split('|')) if ENV['EXTRA_DATA_HOSTS'] + data_hosts.uniq! Rails.application.config.content_security_policy do |p|