From 2c1a6f746fdce3654590cb2cb6703db24148cf59 Mon Sep 17 00:00:00 2001 From: jomo Date: Tue, 18 Dec 2018 16:40:30 +0100 Subject: [PATCH] fix CSP / X-Frame-Options for media embeds (#9558) --- app/controllers/media_controller.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb index 88c7232dd84..8e1624ce1b4 100644 --- a/app/controllers/media_controller.rb +++ b/app/controllers/media_controller.rb @@ -6,12 +6,17 @@ class MediaController < ApplicationController before_action :set_media_attachment before_action :verify_permitted_status! + content_security_policy only: :player do |p| + p.frame_ancestors(false) + end + def show redirect_to @media_attachment.file.url(:original) end def player @body_classes = 'player' + response.headers['X-Frame-Options'] = 'ALLOWALL' raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv? end