SECURITY: Don't allow base_uri as embeddable host if none exist

app/models/embeddable_host.rb

@@ -44,7 +44,7 @@ class EmbeddableHost < ActiveRecord::Base
 
   def self.url_allowed?(url)
     # Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
-    return true if url&.starts_with?(Discourse.base_url)
+    return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists?
 
     uri = begin
       URI(UrlHelper.escape_uri(url))

spec/models/embeddable_host_spec.rb

@@ -65,6 +65,10 @@ describe EmbeddableHost do
     end
   end
 
+  it "doesn't allow forum own URL if no hosts exist" do
+    expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(false)
+  end
+
   describe "url_allowed?" do
     fab!(:host) { Fabricate(:embeddable_host) }