New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Selective route permission to use embeds, fixes #322 in a better way #812
Conversation
support/nginx/peertube
Outdated
@@ -38,6 +38,8 @@ server { | |||
# resolver_timeout 5s; | |||
|
|||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | |||
add_header X-Frame-Options DENY; | |||
add_header X-Frame-Options https://peertube.example.com/videos/embed; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If people forget to update this, the default position will be to deny embeds. I think the default should be to allow embeds. This header should be applied dynamically in the codebase not in the server configuration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be corrected.
c24c18d
to
d3c5e5c
Compare
server.ts
Outdated
app.use('/services', servicesRouter, helmet.frameguard({ | ||
action: 'allow-from', | ||
domain: CONFIG.WEBSERVER.URL | ||
})) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The regular HTML embed is served from /embed, this is the oembed part
edcf5d6
to
e9a49a2
Compare
e9a49a2
to
be9520d
Compare
@rezonant I've added a CSP since helmet makes adding one quite easy. Could you have a look at it? |
be9520d
to
8c3caec
Compare
note: this time it should work 馃槄