From: jomo <github@jomo.tv>
Date: Tue, 18 Dec 2018 15:40:30 +0000 (+0100)
Subject: fix CSP / X-Frame-Options for media embeds (#9558)
X-Git-Url: https://git.xn--scling-oua.cat.family/?a=commitdiff_plain;h=2c1a6f746fdce3654590cb2cb6703db24148cf59;p=mastodon.git

fix CSP / X-Frame-Options for media embeds (#9558)
---

diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 88c7232dd..8e1624ce1 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -6,12 +6,17 @@ class MediaController < ApplicationController
   before_action :set_media_attachment
   before_action :verify_permitted_status!
 
+  content_security_policy only: :player do |p|
+    p.frame_ancestors(false)
+  end
+
   def show
     redirect_to @media_attachment.file.url(:original)
   end
 
   def player
     @body_classes = 'player'
+    response.headers['X-Frame-Options'] = 'ALLOWALL'
     raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv?
   end