From 35110f66817252250c40295a507d86aa03477dff Mon Sep 17 00:00:00 2001
From: Penar Musaraj <pmusaraj@gmail.com>
Date: Wed, 7 Jul 2021 09:43:48 -0400
Subject: [PATCH] FIX: Set CSP base-uri to `self` (#13654)

---
 lib/content_security_policy/default.rb   | 2 +-
 spec/lib/content_security_policy_spec.rb | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index daebd99df50..8029bad9e4f 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -9,7 +9,7 @@ class ContentSecurityPolicy
       @base_url = base_url
       @directives = {}.tap do |directives|
         directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
-        directives[:base_uri] = [:none]
+        directives[:base_uri] = [:self]
         directives[:object_src] = [:none]
         directives[:script_src] = script_src
         directives[:worker_src] = worker_src
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index 20ea52d3b25..a2d85c538cb 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -19,9 +19,9 @@ describe ContentSecurityPolicy do
   end
 
   describe 'base-uri' do
-    it 'is set to none' do
+    it 'is set to self' do
       base_uri = parse(policy)['base-uri']
-      expect(base_uri).to eq(["'none'"])
+      expect(base_uri).to eq(["'self'"])
     end
   end