same_origin? returns false for bad URIs

Neal Harris · Neal Harris · commit 438065abf73a · 2014-08-11T15:32:27.000-07:00
diff --git a/lib/secure_headers/headers/content_security_policy.rb b/lib/secure_headers/headers/content_security_policy.rb
@@ -177,8 +177,13 @@ def normalize_reporting_endpoint
     def same_origin?
       return unless report_uri && request_uri
 
-      origin = URI.parse(request_uri)
-      uri = URI.parse(report_uri)
+      begin
+        origin = URI.parse(request_uri)
+        uri = URI.parse(report_uri)
+      rescue URI::InvalidURIError
+        return false
+      end
+
       uri.host == origin.host && origin.port == uri.port && origin.scheme == uri.scheme
     end
 
