X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/968bc8cdf354d9cbe29b88abdc747a7845031fab..refs/pull/5676/head:/app/Util/CspService.php

diff --git a/app/Util/CspService.php b/app/Util/CspService.php
index 227ec8e0b..4262b5c98 100644
--- a/app/Util/CspService.php
+++ b/app/Util/CspService.php
@@ -133,18 +133,30 @@ class CspService
 
     protected function getAllowedIframeSources(): array
     {
-        $sources = config('app.iframe_sources', '');
-        $hosts = array_filter(explode(' ', $sources));
+        $sources = explode(' ', config('app.iframe_sources', ''));
+        $sources[] = $this->getDrawioHost();
 
-        // Extract drawing service url to allow embedding if active
+        return array_filter($sources);
+    }
+
+    /**
+     * Extract the host name of the configured drawio URL for use in CSP.
+     * Returns empty string if not in use.
+     */
+    protected function getDrawioHost(): string
+    {
         $drawioConfigValue = config('services.drawio');
-        if ($drawioConfigValue) {
-            $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
-            $drawioSourceParsed = parse_url($drawioSource);
-            $drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
-            $hosts[] = $drawioHost;
+        if (!$drawioConfigValue) {
+            return '';
+        }
+
+        $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';
+        $drawioSourceParsed = parse_url($drawioSource);
+        $drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];
+        if (isset($drawioSourceParsed['port'])) {
+            $drawioHost .= ':' . $drawioSourceParsed['port'];
         }
 
-        return $hosts;
+        return $drawioHost;
     }
 }