From ccaefd139d33f2f0bf4d097131bcf91960bee956 Mon Sep 17 00:00:00 2001
From: Thibaut Girka <thib@sitedethib.com>
Date: Thu, 6 Feb 2020 11:25:18 +0100
Subject: [PATCH] Add environment variable to specify extra data hosts

Fixes #1276
---
 .env.production.sample                         | 5 +++++
 config/initializers/content_security_policy.rb | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/.env.production.sample b/.env.production.sample
index f573a37de..a752298e8 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -89,6 +89,11 @@ SMTP_FROM_ADDRESS=notifications@example.com
 # Access-Control-Allow-Origin: https://example.com/
 # CDN_HOST=https://assets.example.com
 
+# Optional list of hosts that are allowed to serve media for your instance
+# This is useful if you include external media in your custom CSS or about page,
+# or if your data storage provider makes use of redirects to other domains.
+# EXTRA_DATA_HOSTS=https://data.example1.com|https://data.example2.com
+
 # S3 (optional)
 # The attachment host must allow cross origin request from WEB_DOMAIN or
 # LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 810aa2880..269a7d1c9 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -23,6 +23,8 @@ if Rails.env.production?
     data_hosts << "https://#{url.host}"
   end
 
+  data_hosts.concat(ENV['EXTRA_DATA_HOSTS'].split('|')) if ENV['EXTRA_DATA_HOSTS']
+
   data_hosts.uniq!
 
   Rails.application.config.content_security_policy do |p|