FIX: Set CSP base-uri to `self` (#13654)

FIX: Set CSP base-uri to self (#13654)

diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index daebd99..8029bad 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -9,7 +9,7 @@ class ContentSecurityPolicy
       @base_url = base_url
       @directives = {}.tap do |directives|
         directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
-        directives[:base_uri] = [:none]
+        directives[:base_uri] = [:self]
         directives[:object_src] = [:none]
         directives[:script_src] = script_src
         directives[:worker_src] = worker_src
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index 20ea52d..a2d85c5 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -19,9 +19,9 @@ describe ContentSecurityPolicy do
   end
 
   describe 'base-uri' do
-    it 'is set to none' do
+    it 'is set to self' do
       base_uri = parse(policy)['base-uri']
-      expect(base_uri).to eq(["'none'"])
+      expect(base_uri).to eq(["'self'"])
     end
   end
 

GitHub sha: 35110f66817252250c40295a507d86aa03477dff

This commit appears in #13654 which was approved by davidtaylorhq. It was merged by pmusaraj.