Merge pull request opf#20807 from opf/fix/68580-dynamic-csp-for-local-addresses

brunopagno · web-flow · commit 8e9fbb2c05b9 · 2025-10-29T14:18:54.000+01:00
Allow dynamic CSP to define addresses without standard ports
diff --git a/app/controllers/concerns/dynamic_content_security_policy.rb b/app/controllers/concerns/dynamic_content_security_policy.rb
@@ -68,8 +68,14 @@ def add_hocuspocus_host_to_csp
         nil
       end
       if uri.present?
-        append_content_security_policy_directives(connect_src: ["#{uri.scheme}://#{uri.host}"])
+        append_content_security_policy_directives(connect_src: ["#{uri.scheme}://#{host_with_port(uri)}"])
       end
     end
   end
+
+  def host_with_port(uri)
+    # Include port if it's not the default port for the scheme (necessary for local dev support)
+    default_port = ["wss", "https"].include?(uri.scheme) ? 443 : 80
+    uri.port && uri.port != default_port ? "#{uri.host}:#{uri.port}" : uri.host
+  end
 end
