[5.x] Fix: Include port in CSP for Live Preview (#11498)

Co-authored-by: Duncan McClean <[email protected]> Co-authored-by: Jason Varga <[email protected]>
statamic · Feb 25, 2025 · 7f8ec82 · 7f8ec82
1 parent 18c0d13
commit 7f8ec82
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/src/Tokens/Handlers/LivePreview.php b/src/Tokens/Handlers/LivePreview.php
@@ -39,6 +39,8 @@ private function getSchemeAndHost(Site $site): string
     {
         $parts = parse_url($site->absoluteUrl());
 
-        return $parts['scheme'].'://'.$parts['host'];
+        $port = isset($parts['port']) ? ':'.$parts['port'] : '';
+
+        return $parts['scheme'].'://'.$parts['host'].$port;
     }
 }
diff --git a/tests/Feature/Entries/AddsHeadersToLivePreviewTest.php b/tests/Feature/Entries/AddsHeadersToLivePreviewTest.php
@@ -58,17 +58,22 @@ public function it_doesnt_set_header_when_single_site()
     public function it_sets_header_when_multisite()
     {
         config()->set('statamic.system.multisite', true);
+
         $this->setSites([
-            'en' => ['url' => 'http://localhost/', 'locale' => 'en'],
-            'fr' => ['url' => 'http://localhost/fr/', 'locale' => 'fr'],
-            'third' => ['url' => 'http://third/', 'locale' => 'en'],
+            'one' => ['url' => 'http://withport.com:8080/', 'locale' => 'en'],
+            'two' => ['url' => 'http://withport.com:8080/fr/', 'locale' => 'fr'],
+            'three' => ['url' => 'http://withoutport.com/', 'locale' => 'en'],
+            'four' => ['url' => 'http://withoutport.com/fr/', 'locale' => 'fr'],
+            'five' => ['url' => 'http://third.com/', 'locale' => 'en'],
+            'six' => ['url' => 'http://third.com/fr/', 'locale' => 'fr'],
         ]);
+
         $substitute = EntryFactory::collection('test')->id('2')->slug('charlie')->data(['title' => 'Substituted title', 'foo' => 'Substituted foo'])->make();
 
         LivePreview::tokenize('test-token', $substitute);
 
         $this->get('/test?token=test-token')
             ->assertHeader('X-Statamic-Live-Preview', true)
-            ->assertHeader('Content-Security-Policy', 'frame-ancestors http://localhost http://third');
+            ->assertHeader('Content-Security-Policy', 'frame-ancestors http://withport.com:8080 http://withoutport.com http://third.com');
     }
 }