Skip to content

x/website: Content Security Policy breaks embedded YouTube videos #47973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shubh1m opened this issue Aug 26, 2021 · 3 comments
Closed

x/website: Content Security Policy breaks embedded YouTube videos #47973

shubh1m opened this issue Aug 26, 2021 · 3 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. website
Milestone
Unreleased

Comments

@shubh1m
Copy link

shubh1m commented Aug 26, 2021
edited
Loading

What is the URL of the page with the issue?

https://go.dev/blog/io2010

What is your user agent?

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

Screenshot

Screenshot 2021-08-26 at 11 44 34 AM

What did you do?

What did you expect to see?

What did you see instead?
@gopherbot gopherbot added this to the Unreleased milestone Aug 26, 2021
@hsblhsn

This comment has been minimized.

Sign in to view
@cespare
Copy link
Contributor

cespare commented Aug 26, 2021

No, this is a site issue. It's blocked because of the Content-Security-Policy header.

Here's the value of the CSP header served on the linked page:

connect-src 'self' https://golang.org www.google-analytics.com stats.g.doubleclick.net; default-src 'self'; font-src 'self' fonts.googleapis.com fonts.gstatic.com data:; frame-ancestors 'none'; frame-src 'self' www.google.com feedback.googleusercontent.com www.googletagmanager.com scone-pa.clients6.google.com; img-src 'self' www.google.com www.google-analytics.com ssl.gstatic.com www.gstatic.com gstatic.com data: *; object-src 'none'; script-src 'self' 'sha256-n6OdwTrm52KqKm6aHYgD0TFUdMgww4a0GQlIAVrMzck=' 'sha256-4ryYrf7Y5daLOBv0CpYtyBIcJPZkRD2eBPdfqsN3r1M=' 'sha256-sVKX08+SqOmnWhiySYk3xC7RDUgKyAkmbXV2GWts4fo=' www.google.com apis.google.com www.gstatic.com gstatic.com support.google.com www.googletagmanager.com www.google-analytics.com ssl.google-analytics.com tagmanager.google.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com feedback.googleusercontent.com www.gstatic.com gstatic.com tagmanager.google.com;

and here's my JS console:

screen_20210826010534

@cespare cespare changed the title x/website: x/website: Content Security Policy breaks embedded YouTube videos Aug 26, 2021
@cespare cespare mentioned this issue Aug 26, 2021
Closed
@toothrot toothrot added NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. website labels Aug 26, 2021
@seankhliao seankhliao mentioned this issue Aug 30, 2021
Closed
@180909 180909 mentioned this issue Sep 3, 2021
Closed
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/347212 mentions this issue: cmd/golangorg: fix Content Security Policy breaks embedded YouTube videos

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. labels Sep 7, 2021
@golang golang locked and limited conversation to collaborators Sep 7, 2022
@julieqiu julieqiu removed this from Go Security Sep 8, 2022
MK825 added a commit to MK825/website that referenced this issue Oct 18, 2022
@MK825
cmd/golangorg: fix Content Security Policy breaks embedded YouTube vi…
fbc9b00 
…deos

Fixes: golang/go#47973

Change-Id: I740191abdcf971efd668f2cb683f01cece545052
GitHub-Last-Rev: 38ff822ae8e6a62f86c3ba0c3a79bb9de36fa1b5
GitHub-Pull-Request: golang/website#89
Reviewed-on: https://go-review.googlesource.com/c/website/+/347212
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Jamal Carvalho <jamal@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Website-Publish: DO NOT USE <dmitshur@google.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. website
Projects
None yet
Milestone
Unreleased
Development

Successfully merging a pull request may close this issue.

cmd/golangorg: fix Content Security Policy breaks embedded YouTube videos 180909/website
6 participants
@toothrot @cespare @dmitshur @gopherbot @shubh1m @hsblhsn