From 3c730222720048824e35ac31c90944e18924ff2c Mon Sep 17 00:00:00 2001 From: Mantas Masalskis Date: Fri, 6 Mar 2020 09:27:42 +0100 Subject: [PATCH] Follow up for #2713 - Content Security Policy allows embedded content from Youtube and Vimeo. --- .../app/controllers/knowledge_base/reader_controller.coffee | 2 +- app/helpers/knowledge_base_rich_text_helper.rb | 2 +- config/initializers/content_security_policy.rb | 1 + spec/system/knowledge_base/locale/answer/edit_spec.rb | 2 +- spec/system/knowledge_base_public/answer_spec.rb | 2 +- 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/assets/javascripts/app/controllers/knowledge_base/reader_controller.coffee b/app/assets/javascripts/app/controllers/knowledge_base/reader_controller.coffee index 8fd8ec7df..388b91566 100644 --- a/app/assets/javascripts/app/controllers/knowledge_base/reader_controller.coffee +++ b/app/assets/javascripts/app/controllers/knowledge_base/reader_controller.coffee @@ -115,7 +115,7 @@ class App.KnowledgeBaseReaderController extends App.Controller # coffeelint: disable=indentation url = switch settings.provider when 'youtube' - "http://www.youtube.com/embed/#{settings.id}" + "https://www.youtube.com/embed/#{settings.id}" when 'vimeo' "https://player.vimeo.com/video/#{settings.id}" # coffeelint: enable=indentation diff --git a/app/helpers/knowledge_base_rich_text_helper.rb b/app/helpers/knowledge_base_rich_text_helper.rb index cb945ee36..d1ed9c0a6 100644 --- a/app/helpers/knowledge_base_rich_text_helper.rb +++ b/app/helpers/knowledge_base_rich_text_helper.rb @@ -38,7 +38,7 @@ module KnowledgeBaseRichTextHelper url = case settings[:provider] when 'youtube' - "http://www.youtube.com/embed/#{settings[:id]}" + "https://www.youtube.com/embed/#{settings[:id]}" when 'vimeo' "https://player.vimeo.com/video/#{settings[:id]}" end diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index fab53696a..be4a2b114 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -35,6 +35,7 @@ Rails.application.config.content_security_policy do |policy| policy.object_src :none policy.script_src :self, :unsafe_eval, :unsafe_inline, :strict_dynamic policy.style_src :self, :unsafe_inline + policy.frame_src 'www.youtube.com', 'player.vimeo.com' end # If you are using UJS then enable automatic nonce generation diff --git a/spec/system/knowledge_base/locale/answer/edit_spec.rb b/spec/system/knowledge_base/locale/answer/edit_spec.rb index bc656d416..2e25160f5 100644 --- a/spec/system/knowledge_base/locale/answer/edit_spec.rb +++ b/spec/system/knowledge_base/locale/answer/edit_spec.rb @@ -43,7 +43,7 @@ RSpec.describe 'Knowledge Base Locale Answer Edit', type: :system, authenticated visit "#knowledge_base/#{knowledge_base.id}/locale/#{primary_locale.system_locale.locale}/answer/#{published_answer_with_video.id}" iframe = find('iframe') - expect(iframe['src']).to start_with('http://www.youtube.com/embed/') + expect(iframe['src']).to start_with('https://www.youtube.com/embed/') end end end diff --git a/spec/system/knowledge_base_public/answer_spec.rb b/spec/system/knowledge_base_public/answer_spec.rb index e5e5532b1..a84ee4cf9 100644 --- a/spec/system/knowledge_base_public/answer_spec.rb +++ b/spec/system/knowledge_base_public/answer_spec.rb @@ -13,7 +13,7 @@ RSpec.describe 'Public Knowledge Base answer', type: :system, authenticated: fal visit help_answer_path(primary_locale.system_locale.locale, category, published_answer_with_video) iframe = find('iframe') - expect(iframe['src']).to start_with('http://www.youtube.com/embed/') + expect(iframe['src']).to start_with('https://www.youtube.com/embed/') end end end