Skip to content

Commit

Permalink
fix CSP / X-Frame-Options for media embeds (mastodon#9558)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jomo @hiyuki2578
jomo authored and hiyuki2578 committed Oct 2, 2019
1 parent 69faeb2 commit e94794d
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions app/controllers/media_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,17 @@ class MediaController < ApplicationController
before_action :set_media_attachment
before_action :verify_permitted_status!

content_security_policy only: :player do |p|
p.frame_ancestors(false)
end

def show
redirect_to @media_attachment.file.url(:original)
end

def player
@body_classes = 'player'
response.headers['X-Frame-Options'] = 'ALLOWALL'
raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv?
end

Expand Down

0 comments on commit e94794d

Please sign in to comment.