From: Chocobozzz Date: Thu, 20 Feb 2020 09:04:36 +0000 (+0100) Subject: Fix CSP for embeds X-Git-Tag: v2.1.1~6 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=dfab4fa9c6d5b6f12ac844b191a51282b002d3f5;p=oweals%2Fpeertube.git Fix CSP for embeds --- diff --git a/server/controllers/client.ts b/server/controllers/client.ts index dc3ff18fc..56685f102 100644 --- a/server/controllers/client.ts +++ b/server/controllers/client.ts @@ -2,10 +2,11 @@ import * as express from 'express' import { join } from 'path' import { root } from '../helpers/core-utils' import { ACCEPT_HEADERS, STATIC_MAX_AGE } from '../initializers/constants' -import { asyncMiddleware } from '../middlewares' +import { asyncMiddleware, embedCSP } from '../middlewares' import { buildFileLocale, getCompleteLocale, is18nLocale, LOCALE_FILES } from '../../shared/models/i18n/i18n' import { ClientHtml } from '../lib/client-html' import { logger } from '../helpers/logger' +import { CONFIG } from '@server/initializers/config' const clientsRouter = express.Router() @@ -19,8 +20,13 @@ clientsRouter.use('/videos/watch/:id', asyncMiddleware(generateWatchHtmlPage)) clientsRouter.use('/accounts/:nameWithHost', asyncMiddleware(generateAccountHtmlPage)) clientsRouter.use('/video-channels/:nameWithHost', asyncMiddleware(generateVideoChannelHtmlPage)) +const embedCSPMiddleware = CONFIG.CSP.ENABLED + ? embedCSP + : (req: express.Request, res: express.Response, next: express.NextFunction) => next() + clientsRouter.use( '/videos/embed', + embedCSPMiddleware, (req: express.Request, res: express.Response) => { res.removeHeader('X-Frame-Options') res.sendFile(embedPath)