discourse/lib/middleware/enforce_hostname.rb

# frozen_string_literal: true

module Middleware
  class EnforceHostname
    def initialize(app, settings = nil)
      @app = app
    end

    def call(env)
      # enforces hostname to match the hostname of our connection
      # this middleware lives after rails multisite so at this point
      # Discourse.current_hostname MUST be canonical, enforce it so
      # all Rails helpers are guaranteed to use it unconditionally and
      # never generate incorrect links
      env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil

      allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames
      requested_hostname = env[Rack::HTTP_HOST]

      env[Discourse::REQUESTED_HOSTNAME] = requested_hostname
      env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } || Discourse.current_hostname

      @app.call(env)
    end
  end
end
SECURITY: enforce hostname to match discourse hostname This ensures that the hostname rails uses for various helpers always matches the Discourse hostname 2018-11-14 23:22:02 -05:00			`# frozen_string_literal: true`

			`module Middleware`
			`class EnforceHostname`
			`def initialize(app, settings = nil)`
			`@app = app`
			`end`

			`def call(env)`
			`# enforces hostname to match the hostname of our connection`
			`# this middleware lives after rails multisite so at this point`
			`# Discourse.current_hostname MUST be canonical, enforce it so`
DEV: Correct typos and spelling mistakes (#12812) Over the years we accrued many spelling mistakes in the code base. This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change - comments - test descriptions - other low risk areas 2021-05-20 21:43:47 -04:00			`# all Rails helpers are guaranteed to use it unconditionally and`
SECURITY: enforce hostname to match discourse hostname This ensures that the hostname rails uses for various helpers always matches the Discourse hostname 2018-11-14 23:22:02 -05:00			`# never generate incorrect links`
			`env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil`
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly 2020-03-19 15:54:42 -04:00
			`allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames`
			`requested_hostname = env[Rack::HTTP_HOST]`

DEV: apply allow origin response header for CDN requests. (#11893) Currently, it creates a CORS error while accessing those static files. 2021-01-28 21:14:49 -05:00			`env[Discourse::REQUESTED_HOSTNAME] = requested_hostname`
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly 2020-03-19 15:54:42 -04:00			`env[Rack::HTTP_HOST] = allowed_hostnames.find { \|h\| h == requested_hostname } \|\| Discourse.current_hostname`

SECURITY: enforce hostname to match discourse hostname This ensures that the hostname rails uses for various helpers always matches the Discourse hostname 2018-11-14 23:22:02 -05:00			`@app.call(env)`
			`end`
			`end`
			`end`