diff options
| author | Thibaut Girka <thib@sitedethib.com> | 2020-02-06 11:25:18 +0100 |
|---|---|---|
| committer | multiple creatures <dev@multiple-creature.party> | 2020-02-06 16:47:29 -0600 |
| commit | 53648857c79537f4423dd70a518fb9f6c7bc1bab (patch) | |
| tree | 4e77e571f622d8f2604424e1dec4feb1dc2ecbe5 | |
| parent | 90802c9acd64d4ad6de05fae13efd3a97b4c6043 (diff) | |
Add environment variable to specify extra data hosts
Fixes #1276
| -rw-r--r-- | .env.production.sample | 5 | ||||
| -rw-r--r-- | config/initializers/content_security_policy.rb | 2 |
2 files changed, 7 insertions, 0 deletions
diff --git a/.env.production.sample b/.env.production.sample index 1649f6dd6..cc7750670 100644 --- a/.env.production.sample +++ b/.env.production.sample @@ -88,6 +88,11 @@ SMTP_FROM_ADDRESS=notifications@example.com # Access-Control-Allow-Origin: https://example.com/ # CDN_HOST=https://assets.example.com +# Optional list of hosts that are allowed to serve media for your instance +# This is useful if you include external media in your custom CSS or about page, +# or if your data storage provider makes use of redirects to other domains. +# EXTRA_DATA_HOSTS=https://data.example1.com|https://data.example2.com + # S3 (optional) # The attachment host must allow cross origin request from WEB_DOMAIN or # LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index cd696526d..0b2e9f232 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -23,6 +23,8 @@ if Rails.env.production? data_hosts << "https://#{url.host}" end + data_hosts.concat(ENV['EXTRA_DATA_HOSTS'].split('|')) if ENV['EXTRA_DATA_HOSTS'] + data_hosts.uniq! Rails.application.config.content_security_policy do |p| |