From 4f4d20649a76727df9b8307a1802c4910232078a Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Sat, 28 Nov 2020 18:55:58 -0800
Subject: [PATCH] Use x-forwarded-host first to fill connect-src

---
 webserver.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webserver.js b/webserver.js
index 20083ecb..90a2c8ea 100644
--- a/webserver.js
+++ b/webserver.js
@@ -4888,7 +4888,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             } else {
                 // Use default security headers
                 var geourl = (domain.geolocation ? ' *.openstreetmap.org' : '');
-                var selfurl = (' wss://' + req.headers.host);
+                var selfurl = req.headers['x-forwarded-host'] ? (' wss://' + req.headers['x-forwarded-host']) : (' wss://' + req.headers.host);
                 var headers = {
                     'Referrer-Policy': 'no-referrer',
                     'X-XSS-Protection': '1; mode=block',