From 8b46d00b9bf1bed4415a9dd3aa59cf0426d2cb14 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 1 Jun 2020 13:41:15 -0500
Subject: [PATCH] Add antiproxying protection.

Try to prevent malicious sites like danbooru.me or idanbooru.com from
proxying our site and inserting ads. If we detect that we're not running
on the real site, then we redirect to the real site.
---
 .../src/javascripts/{common.js => common.js.erb}     |  8 ++++++++
 config/danbooru_default_config.rb                    | 12 +++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)
 rename app/javascript/src/javascripts/{common.js => common.js.erb} (66%)

diff --git a/app/javascript/src/javascripts/common.js b/app/javascript/src/javascripts/common.js.erb
similarity index 66%
rename from app/javascript/src/javascripts/common.js
rename to app/javascript/src/javascripts/common.js.erb
index e1d8c3065..24c033dea 100644
--- a/app/javascript/src/javascripts/common.js
+++ b/app/javascript/src/javascripts/common.js.erb
@@ -19,6 +19,14 @@ $(function() {
     $('#notice').fadeOut("fast");
     e.preventDefault();
   });
+
+  const CANONICAL_DOMAIN = <%= Danbooru.config.domain.to_json.html_safe %>;
+  const CANONICAL_HOSTNAME = <%= Danbooru.config.hostname.to_json.html_safe %>;
+  const ENABLE_ANTIPROXYING = <%= Danbooru.config.enable_antiproxying?.to_json.html_safe %>;
+
+  if (ENABLE_ANTIPROXYING && !location.hostname.endsWith(CANONICAL_DOMAIN)) {
+    location.hostname = CANONICAL_HOSTNAME;
+  }
 });
 
 window.submitInvisibleRecaptchaForm = function () {
diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb
index 999319cff..21444300c 100644
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -25,11 +25,16 @@ module Danbooru
       "Danbooru"
     end
 
-    # The canonical hostname of the site.
+    # The canonical hostname for the site, e.g. danbooru.donmai.us.
     def hostname
       Socket.gethostname
     end
 
+    # The canonical base domain for the site, e.g. donmai.us.
+    def domain
+      hostname
+    end
+
     # Contact email address of the admin.
     def contact_email
       "webmaster@#{hostname}"
@@ -551,6 +556,11 @@ module Danbooru
     def redis_url
       "redis://localhost:6379"
     end
+
+    # Try to prevent copycat sites from proxying our site and inserting ads or phishing passwords.
+    def enable_antiproxying?
+      Rails.env.production?
+    end
   end
 
   class EnvironmentConfiguration