Fix Content Security Policy sometimes unnecessarily allowing hCaptcha scripts (#26388)

2023-08-08 15:41:38 +02:00 · 2023-08-08 15:41:38 +02:00 · 8b37dd2c86
commit 8b37dd2c86
parent 2c204d904b
1 changed files with 3 additions and 1 deletions
--- a/app/controllers/concerns/captcha_concern.rb
+++ b/app/controllers/concerns/captcha_concern.rb
@ -42,7 +42,7 @@ module CaptchaConcern
  end

  def extend_csp_for_captcha!
-    policy = request.content_security_policy
+    policy = request.content_security_policy&.clone

    return unless captcha_required? && policy.present?

@ -54,6 +54,8 @@ module CaptchaConcern

      policy.send(directive, *values)
    end
+
+    request.content_security_policy = policy
  end

  def render_captcha