(embed) sandbox the iframe

author Rigel Kent <sendmemail@rigelk.eu>

Sun, 10 Jun 2018 16:20:19 +0000 (18:20 +0200)

committer Chocobozzz <me@florianbigard.com>

Mon, 11 Jun 2018 15:18:04 +0000 (17:18 +0200)
author Rigel Kent <sendmemail@rigelk.eu>
Sun, 10 Jun 2018 16:20:19 +0000 (18:20 +0200)
committer Chocobozzz <me@florianbigard.com>
Mon, 11 Jun 2018 15:18:04 +0000 (17:18 +0200)
diff --git a/client/src/assets/player/utils.ts b/client/src/assets/player/utils.ts

index b7cd40aa28e9155577ed49b1f270e1f3b92a33ec..18a6b4dfa48b12d70ed61a1a1aff6b1650da0f82 100644 (file)
--- a/client/src/assets/player/utils.ts
+++ b/client/src/assets/player/utils.ts
@@ -92,6 +92,7 @@ function buildVideoLink (time?: number) {
  
  function buildVideoEmbed (embedUrl: string) {
    return '<iframe width="560" height="315" ' +
+    'sandbox="allow-same-origin allow-scripts" ' +
      'src="' + embedUrl + '" ' +
      'frameborder="0" allowfullscreen>' +
      '</iframe>'
diff --git a/server/controllers/services.ts b/server/controllers/services.ts

index a58a5b8cf2b49a068de56f2480b2e39271198c4c..1f82db9c40a7a7c6a71ddee1978251f391eb2b09 100644 (file)
--- a/server/controllers/services.ts
+++ b/server/controllers/services.ts
@@ -45,7 +45,7 @@ function generateOEmbed (req: express.Request, res: express.Response, next: expr
      thumbnailUrl = undefined
    }
  
-  const html = `<iframe width="${embedWidth}" height="${embedHeight}" src="${embedUrl}" frameborder="0" allowfullscreen></iframe>`
+  const html = `<iframe width="${embedWidth}" height="${embedHeight}" sandbox="allow-same-origin allow-scripts" src="${embedUrl}" frameborder="0" allowfullscreen></iframe>`
  
    const json: any = {
      type: 'video',
author	Rigel Kent <sendmemail@rigelk.eu>
	Sun, 10 Jun 2018 16:20:19 +0000 (18:20 +0200)
committer	Chocobozzz <me@florianbigard.com>
	Mon, 11 Jun 2018 15:18:04 +0000 (17:18 +0200)
client/src/assets/player/utils.ts		patch \| blob \| history
server/controllers/services.ts		patch \| blob \| history