fix CSP / X-Frame-Options for media embeds (#9558)
This commit is contained in:
parent
857e8eb312
commit
2c1a6f746f
|
@ -6,12 +6,17 @@ class MediaController < ApplicationController
|
||||||
before_action :set_media_attachment
|
before_action :set_media_attachment
|
||||||
before_action :verify_permitted_status!
|
before_action :verify_permitted_status!
|
||||||
|
|
||||||
|
content_security_policy only: :player do |p|
|
||||||
|
p.frame_ancestors(false)
|
||||||
|
end
|
||||||
|
|
||||||
def show
|
def show
|
||||||
redirect_to @media_attachment.file.url(:original)
|
redirect_to @media_attachment.file.url(:original)
|
||||||
end
|
end
|
||||||
|
|
||||||
def player
|
def player
|
||||||
@body_classes = 'player'
|
@body_classes = 'player'
|
||||||
|
response.headers['X-Frame-Options'] = 'ALLOWALL'
|
||||||
raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv?
|
raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue