Fix media host not being included in connect-src for OCR (mastodon#11577)

Gargron · hiyuki2578 · commit 50c3882c1d6c · 2019-10-02T10:38:26.000+09:00
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -2,10 +2,20 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-base_host     = Rails.configuration.x.web_domain
+def host_to_url(str)
+  "http#{Rails.configuration.x.use_https ? 's' : ''}://#{str}" unless str.blank?
+end
+
+base_host = Rails.configuration.x.web_domain
+
 assets_host   = Rails.configuration.action_controller.asset_host
-assets_host ||= "http#{Rails.configuration.x.use_https ? 's' : ''}://#{base_host}"
 instance_ticker_host = "https://wee.jp"
+assets_host ||= host_to_url(base_host)
+
+media_host   = host_to_url(ENV['S3_ALIAS_HOST'])
+media_host ||= host_to_url(ENV['S3_CLOUDFRONT_HOST'])
+media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'
+media_host ||= assets_host
 
 Rails.application.config.content_security_policy do |p|
   p.base_uri        :none
@@ -21,10 +31,10 @@
   if Rails.env.development?
     webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }
 
-    p.connect_src :self, :data, :blob, assets_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls
+    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls
     p.script_src  :self, :blob, :unsafe_inline, :unsafe_eval, assets_host
   else
-    p.connect_src :self, :data, :blob, assets_host, Rails.configuration.x.streaming_api_base_url
+    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url
     p.script_src  :self, :blob, assets_host
   end
 end
