about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--.env.production.sample5
-rw-r--r--config/initializers/content_security_policy.rb2
2 files changed, 7 insertions, 0 deletions
diff --git a/.env.production.sample b/.env.production.sample
index f573a37de..a752298e8 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -89,6 +89,11 @@ SMTP_FROM_ADDRESS=notifications@example.com
 # Access-Control-Allow-Origin: https://example.com/
 # CDN_HOST=https://assets.example.com
 
+# Optional list of hosts that are allowed to serve media for your instance
+# This is useful if you include external media in your custom CSS or about page,
+# or if your data storage provider makes use of redirects to other domains.
+# EXTRA_DATA_HOSTS=https://data.example1.com|https://data.example2.com
+
 # S3 (optional)
 # The attachment host must allow cross origin request from WEB_DOMAIN or
 # LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 810aa2880..269a7d1c9 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -23,6 +23,8 @@ if Rails.env.production?
     data_hosts << "https://#{url.host}"
   end
 
+  data_hosts.concat(ENV['EXTRA_DATA_HOSTS'].split('|')) if ENV['EXTRA_DATA_HOSTS']
+
   data_hosts.uniq!
 
   Rails.application.config.content_security_policy do |p|