From 42e5b8a04bece0abe4e018deb381347ac1bf7d37 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Fri, 2 Mar 2018 06:59:55 -0800
Subject: [PATCH] Include the primary domain in the Content-Security-Policy
 explicitly if there's no CDN

Summary:
Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy.

When there's no CDN, include the primary domain in the CSP explicitly.

Test Plan: Loaded `local.www.phacility.com`, got resources.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19170
---
 src/aphront/response/AphrontResponse.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
index 73c4e68f00..892417fcb1 100644
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -109,7 +109,14 @@ abstract class AphrontResponse extends Phobject {
     if ($cdn) {
       $default = $this->newContentSecurityPolicySource($cdn);
     } else {
-      $default = "'self'";
+      // If an alternate file domain is not configured and the user is viewing
+      // a Phame blog on a custom domain or some other custom site, we'll still
+      // serve resources from the main site. Include the main site explicitly.
+
+      $base_uri = PhabricatorEnv::getURI('/');
+      $base_uri = $this->newContentSecurityPolicySource($base_uri);
+
+      $default = "'self' {$base_uri}";
     }
 
     $csp[] = "default-src {$default}";