CSP: Allow iframes on embed player

author href <href@random.sh>

Tue, 19 Feb 2019 17:17:37 +0000 (18:17 +0100)

committer href <href@random.sh>

Tue, 19 Feb 2019 17:19:13 +0000 (18:19 +0100)
author href <href@random.sh>
Tue, 19 Feb 2019 17:17:37 +0000 (18:17 +0100)
committer href <href@random.sh>
Tue, 19 Feb 2019 17:19:13 +0000 (18:19 +0100)
diff --git a/lib/pleroma/web/ostatus/ostatus_controller.ex b/lib/pleroma/web/ostatus/ostatus_controller.ex

index 860b8210e43581dee7b6b43d2ac4b92aaf5425c3..4877e032bf015f1f7b54083ef828a52a525416ba 100644 (file)
--- a/lib/pleroma/web/ostatus/ostatus_controller.ex
+++ b/lib/pleroma/web/ostatus/ostatus_controller.ex
@@ -194,6 +194,11 @@ defmodule Pleroma.Web.OStatus.OStatusController do
           true <- String.starts_with?(url["mediaType"], ["audio", "video"]) do
        conn
        |> put_layout(:metadata_player)
+      |> put_resp_header("x-frame-options", "ALLOW")
+      |> put_resp_header(
+        "content-security-policy",
+        "default-src 'none'; img-src 'self' data: https:; media-src 'self' https:;"
+      )
        |> put_view(Pleroma.Web.Metadata.PlayerView)
        |> render("player.html", url)
      else
author	href <href@random.sh>
	Tue, 19 Feb 2019 17:17:37 +0000 (18:17 +0100)
committer	href <href@random.sh>
	Tue, 19 Feb 2019 17:19:13 +0000 (18:19 +0100)