diff options
-rw-r--r-- | .env.production.sample | 5 | ||||
-rw-r--r-- | config/initializers/content_security_policy.rb | 2 |
2 files changed, 7 insertions, 0 deletions
diff --git a/.env.production.sample b/.env.production.sample index f573a37de..a752298e8 100644 --- a/.env.production.sample +++ b/.env.production.sample @@ -89,6 +89,11 @@ SMTP_FROM_ADDRESS=notifications@example.com # Access-Control-Allow-Origin: https://example.com/ # CDN_HOST=https://assets.example.com +# Optional list of hosts that are allowed to serve media for your instance +# This is useful if you include external media in your custom CSS or about page, +# or if your data storage provider makes use of redirects to other domains. +# EXTRA_DATA_HOSTS=https://data.example1.com|https://data.example2.com + # S3 (optional) # The attachment host must allow cross origin request from WEB_DOMAIN or # LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 810aa2880..269a7d1c9 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -23,6 +23,8 @@ if Rails.env.production? data_hosts << "https://#{url.host}" end + data_hosts.concat(ENV['EXTRA_DATA_HOSTS'].split('|')) if ENV['EXTRA_DATA_HOSTS'] + data_hosts.uniq! Rails.application.config.content_security_policy do |p| |