Include the primary domain in the Content-Security-Policy explicitly if there's no CDN

epriestley · epriestley · commit 42e5b8a04bec · 2018-03-02T07:42:29.000-08:00
Summary: Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy. When there's no CDN, include the primary domain in the CSP explicitly. Test Plan: Loaded `local.www.phacility.com`, got resources. Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D19170
diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
@@ -109,7 +109,14 @@ private function newContentSecurityPolicyHeader() {
     if ($cdn) {
       $default = $this->newContentSecurityPolicySource($cdn);
     } else {
-      $default = "'self'";
+      // If an alternate file domain is not configured and the user is viewing
+      // a Phame blog on a custom domain or some other custom site, we'll still
+      // serve resources from the main site. Include the main site explicitly.
+
+      $base_uri = PhabricatorEnv::getURI('/');
+      $base_uri = $this->newContentSecurityPolicySource($base_uri);
+
+      $default = "'self' {$base_uri}";
     }
 
     $csp[] = "default-src {$default}";
