DEV: More robust referrer host parsing (#27534)
This commit is contained in:
parent
9cc030fe8d
commit
9468e0c0f2
|
@ -1008,10 +1008,13 @@ class ApplicationController < ActionController::Base
|
|||
end
|
||||
|
||||
def set_cross_origin_opener_policy_header
|
||||
response.headers["Cross-Origin-Opener-Policy"] = if SiteSetting
|
||||
.cross_origin_opener_unsafe_none_referrers
|
||||
.split("|")
|
||||
.include?(request.referrer&.split("://")&.last)
|
||||
response.headers[
|
||||
"Cross-Origin-Opener-Policy"
|
||||
] = if SiteSetting.cross_origin_opener_unsafe_none_referrers.present? &&
|
||||
SiteSetting
|
||||
.cross_origin_opener_unsafe_none_referrers
|
||||
.split("|")
|
||||
.include?(UrlHelper.relaxed_parse(request.referrer.to_s)&.host)
|
||||
"unsafe-none"
|
||||
else
|
||||
SiteSetting.cross_origin_opener_policy_header
|
||||
|
|
|
@ -556,14 +556,19 @@ RSpec.describe ApplicationController do
|
|||
end
|
||||
|
||||
it "sets `Cross-Origin-Opener-Policy` to `unsafe-none` for a listed referrer" do
|
||||
get "/latest", headers: { "HTTP_REFERER" => "meta.discourse.org" }
|
||||
get "/latest", headers: { "HTTP_REFERER" => "https://meta.discourse.org/" }
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("unsafe-none")
|
||||
|
||||
get "/latest", headers: { "HTTP_REFERER" => "https://meta.discourse.org/hot" }
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("unsafe-none")
|
||||
end
|
||||
|
||||
it "sets `Cross-Origin-Opener-Policy` to configured value for a non-listed referrer" do
|
||||
get "/latest", headers: { "HTTP_REFERER" => "www.discourse.org" }
|
||||
get "/latest", headers: { "HTTP_REFERER" => "https://www.discourse.org/" }
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
expect(response.headers["Cross-Origin-Opener-Policy"]).to eq("same-origin")
|
||||
|
|
Loading…
Reference in New Issue