SECURITY: __ws shouldn't be able to override every domain in multisite

config/initializers/200-first_middlewares.rb

@@ -21,6 +21,10 @@ if Rails.env != 'development' || ENV['TRACK_REQUESTS']
 end
 
 if Rails.configuration.multisite
+  RailsMultisite::ConnectionManagement.asset_hostname =
+    GlobalSetting.cdn_origin_hostname ||
+    Discourse::Application.config.database_configuration[Rails.env]["host_names"].first
+
   # Multisite needs to be first, because the request tracker and message bus rely on it
   Rails.configuration.middleware.unshift RailsMultisite::Middleware, RailsMultisite::DiscoursePatches.config
   Rails.configuration.middleware.delete ActionDispatch::Executor