Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Follow up for #2713 - Content Security Policy allows embedded content from Youtube and Vimeo.

Browse source
This commit is contained in:
Mantas Masalskis 2020-03-06 09:27:42 +01:00 committed by Thorsten Eckel
parent 77e096e211
commit 3c73022272
5 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/assets/javascripts/app/controllers/knowledge_base/reader_controller.coffee
View file

@ -115,7 +115,7 @@ class App.KnowledgeBaseReaderController extends App.Controller
# coffeelint: disable=indentation # coffeelint: disable=indentation
url = switch settings.provider url = switch settings.provider
when 'youtube' when 'youtube'
"http://www.youtube.com/embed/#{settings.id}" "https://www.youtube.com/embed/#{settings.id}"
when 'vimeo' when 'vimeo'
"https://player.vimeo.com/video/#{settings.id}" "https://player.vimeo.com/video/#{settings.id}"
# coffeelint: enable=indentation # coffeelint: enable=indentation

2
app/helpers/knowledge_base_rich_text_helper.rb
View file

@ -38,7 +38,7 @@ module KnowledgeBaseRichTextHelper
url = case settings[:provider] url = case settings[:provider]
when 'youtube' when 'youtube'
"http://www.youtube.com/embed/#{settings[:id]}" "https://www.youtube.com/embed/#{settings[:id]}"
when 'vimeo' when 'vimeo'
"https://player.vimeo.com/video/#{settings[:id]}" "https://player.vimeo.com/video/#{settings[:id]}"
end end

1
config/initializers/content_security_policy.rb
View file

@ -35,6 +35,7 @@ Rails.application.config.content_security_policy do |policy|
policy.object_src :none policy.object_src :none
policy.script_src :self, :unsafe_eval, :unsafe_inline, :strict_dynamic policy.script_src :self, :unsafe_eval, :unsafe_inline, :strict_dynamic
policy.style_src :self, :unsafe_inline policy.style_src :self, :unsafe_inline
policy.frame_src 'www.youtube.com', 'player.vimeo.com'
end end
# If you are using UJS then enable automatic nonce generation # If you are using UJS then enable automatic nonce generation

2
spec/system/knowledge_base/locale/answer/edit_spec.rb
View file

@ -43,7 +43,7 @@ RSpec.describe 'Knowledge Base Locale Answer Edit', type: :system, authenticated
visit "#knowledge_base/#{knowledge_base.id}/locale/#{primary_locale.system_locale.locale}/answer/#{published_answer_with_video.id}" visit "#knowledge_base/#{knowledge_base.id}/locale/#{primary_locale.system_locale.locale}/answer/#{published_answer_with_video.id}"
iframe = find('iframe') iframe = find('iframe')
expect(iframe['src']).to start_with('http://www.youtube.com/embed/') expect(iframe['src']).to start_with('https://www.youtube.com/embed/')
end end
end end
end end

2
spec/system/knowledge_base_public/answer_spec.rb
View file

@ -13,7 +13,7 @@ RSpec.describe 'Public Knowledge Base answer', type: :system, authenticated: fal
visit help_answer_path(primary_locale.system_locale.locale, category, published_answer_with_video) visit help_answer_path(primary_locale.system_locale.locale, category, published_answer_with_video)
iframe = find('iframe') iframe = find('iframe')
expect(iframe['src']).to start_with('http://www.youtube.com/embed/') expect(iframe['src']).to start_with('https://www.youtube.com/embed/')
end end
end end
end end