]> cat aescling's git repositories - mastodon.git/commitdiff
cat aescling's git repositories / mastodon.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 857e8eb)
fix CSP / X-Frame-Options for media embeds (#9558)
authorjomo <github@jomo.tv>
Tue, 18 Dec 2018 15:40:30 +0000 (16:40 +0100)
committerEugen Rochko <eugen@zeonfederated.com>
Tue, 18 Dec 2018 15:40:30 +0000 (16:40 +0100)
app/controllers/media_controller.rb patch | blob | history

diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 88c7232dd848b5e704c86222771fd75e2d65f629..8e1624ce1b449b627f227df85a616c8f021dbb81 100644 (file)
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -6,12 +6,17 @@ class MediaController < ApplicationController
   before_action :set_media_attachment
   before_action :verify_permitted_status!
 
+  content_security_policy only: :player do |p|
+    p.frame_ancestors(false)
+  end
+
   def show
     redirect_to @media_attachment.file.url(:original)
   end
 
   def player
     @body_classes = 'player'
+    response.headers['X-Frame-Options'] = 'ALLOWALL'
     raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv?
   end
 
source code fur Kibicat Mastodon