From 297b899c68784e4a2e2dfd3bd20286fc8122f104 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Wed, 11 Jul 2018 09:29:02 +1000
Subject: [PATCH] SECURITY: extra CORS headers should be set on correct host

---
 config/initializers/004-message_bus.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/initializers/004-message_bus.rb b/config/initializers/004-message_bus.rb
index 137dff182c..3ad639ffde 100644
--- a/config/initializers/004-message_bus.rb
+++ b/config/initializers/004-message_bus.rb
@@ -10,14 +10,14 @@ end
 def setup_message_bus_env(env)
   return if env["__mb"]
 
-  extra_headers = {
-    "Access-Control-Allow-Origin" => Discourse.base_url_no_prefix,
-    "Access-Control-Allow-Methods" => "GET, POST",
-    "Access-Control-Allow-Headers" => "X-SILENCE-LOGGER, X-Shared-Session-Key, Dont-Chunk, Discourse-Visible"
-  }
-
   host = RailsMultisite::ConnectionManagement.host(env)
   RailsMultisite::ConnectionManagement.with_hostname(host) do
+    extra_headers = {
+      "Access-Control-Allow-Origin" => Discourse.base_url_no_prefix,
+      "Access-Control-Allow-Methods" => "GET, POST",
+      "Access-Control-Allow-Headers" => "X-SILENCE-LOGGER, X-Shared-Session-Key, Dont-Chunk, Discourse-Visible"
+    }
+
     user = nil
     begin
       user = CurrentUser.lookup_from_env(env)