From 1b746f9ddda12d95b089a24a75a8eece4fcd9354 Mon Sep 17 00:00:00 2001
From: Ian Bicking <ian@ianbicking.org>
Date: Thu, 1 Jun 2017 16:31:46 -0500
Subject: [PATCH] Fix #2933, allow for EXTRA_CONTENT_ORIGIN (#2950)

This adds a new configuration, EXTRA_CONTENT_ORIGIN, which is added to the CSP
This is intended just for migrating the pageshot.net content origin
---
 server/src/config.js | 7 +++++++
 server/src/server.js | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/src/config.js b/server/src/config.js
index fb7fc6cfee..d4d8919c10 100644
--- a/server/src/config.js
+++ b/server/src/config.js
@@ -28,6 +28,13 @@ var conf = convict({
     env: "CONTENT_ORIGIN",
     arg: "contentOrigin"
   },
+  extraContentOrigin: {
+    doc: "If you have a second origin available for migration purposes",
+    format: String,
+    default: "",
+    env: "EXTRA_CONTENT_ORIGIN",
+    arg: "extraContentOrigin"
+  },
   expectProtocol: {
     doc: "Treat all incoming requests as using this protocol, instead of defaulting to http: or detecting from X-Forwarded-Proto",
     format: String,
diff --git a/server/src/server.js b/server/src/server.js
index bc463ddc01..255969edbb 100644
--- a/server/src/server.js
+++ b/server/src/server.js
@@ -199,10 +199,11 @@ app.use((req, res, next) => {
       } else {
         dsn = "";
       }
+      let extraContentOrigin = config.extraContentOrigin || "";
       req.cspNonce = uuid;
       res.header(
         "Content-Security-Policy",
-        `default-src 'self'; img-src 'self' www.google-analytics.com ${CONTENT_NAME} data:; script-src 'self' www.google-analytics.com 'nonce-${uuid}'; style-src 'self' 'unsafe-inline' https://code.cdn.mozilla.net; connect-src 'self' www.google-analytics.com ${dsn}; font-src https://code.cdn.mozilla.net; frame-ancestors 'none'; object-src 'none';`);
+        `default-src 'self'; img-src 'self' www.google-analytics.com ${CONTENT_NAME}${extraContentOrigin && ' ' + extraContentOrigin} data:; script-src 'self' www.google-analytics.com 'nonce-${uuid}'; style-src 'self' 'unsafe-inline' https://code.cdn.mozilla.net; connect-src 'self' www.google-analytics.com ${dsn}; font-src https://code.cdn.mozilla.net; frame-ancestors 'none'; object-src 'none';`);
       res.header("X-Frame-Options", "DENY");
       res.header("X-Content-Type-Options", "nosniff");
       addHSTS(req, res);