Fix Content Security Policy sometimes unnecessarily allowing hCaptcha scripts (#26388)

1 year ago · 97bbe8f24e
parent dd4eab6536
commit 97bbe8f24e
1 changed files with 3 additions and 1 deletions
--- a/app/controllers/concerns/captcha_concern.rb
+++ b/app/controllers/concerns/captcha_concern.rb
@ -42,7 +42,7 @@ module CaptchaConcern
  end

  def extend_csp_for_captcha!
-    policy = request.content_security_policy
+    policy = request.content_security_policy&.clone

    return unless captcha_required? && policy.present?

@ -54,6 +54,8 @@ module CaptchaConcern

      policy.send(directive, *values)
    end
+
+    request.content_security_policy = policy
  end

  def render_captcha