# frozen_string_literal: true
require "content_security_policy"

class ContentSecurityPolicy
  class Middleware
    def initialize(app)
      @app = app
    end

    def call(env)
      request = Rack::Request.new(env)
      _, headers, _ = response = @app.call(env)

      return response unless html_response?(headers)

      # The EnforceHostname middleware ensures request.host_with_port can be trusted
      protocol = (SiteSetting.force_https || request.ssl?) ? "https://" : "http://"
      base_url = protocol + request.host_with_port + Discourse.base_path

      theme_id = env[:resolved_theme_id]

      headers["Content-Security-Policy"] = policy(
        theme_id,
        base_url: base_url,
        path_info: env["PATH_INFO"],
      ) if SiteSetting.content_security_policy
      headers["Content-Security-Policy-Report-Only"] = policy(
        theme_id,
        base_url: base_url,
        path_info: env["PATH_INFO"],
      ) if SiteSetting.content_security_policy_report_only

      response
    end

    private

    delegate :policy, to: :ContentSecurityPolicy

    def html_response?(headers)
      headers["Content-Type"] && headers["Content-Type"] =~ /html/
    end
  end
end