From f512fe9636d514338042cd0170ec526d3ee3e3ca Mon Sep 17 00:00:00 2001 From: Dominik Geyer Date: Fri, 10 May 2024 09:47:14 +0200 Subject: [PATCH] Fix: Add video service providers to CSP allow list This adds the URLs of currently used video services to the CSP allow list for type frame so that video preview thumbnails are shown in backend. Before this fix the video preview thumbnails are not shown but instead following message is logged to console: `Refused to frame 'https://www.youtube-nocookie.com/' because it violates the following Content Security Policy directive: "frame-src 'self' data:".` --- src/Security/ContentSecurityPolicyHandler.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Security/ContentSecurityPolicyHandler.php b/src/Security/ContentSecurityPolicyHandler.php index bbcecefd05..3a93ab2c84 100644 --- a/src/Security/ContentSecurityPolicyHandler.php +++ b/src/Security/ContentSecurityPolicyHandler.php @@ -56,6 +56,11 @@ class ContentSecurityPolicyHandler implements LoggerAwareInterface self::SCRIPT_OPT => [ 'https://buttons.github.io/buttons.js', // GitHub star button on login page ], + self::FRAME_OPT => [ + 'https://www.youtube-nocookie.com/', // Video preview thumbnail for YouTube + 'https://www.dailymotion.com/', // Video preview thumbnail for Dailymotion + 'https://player.vimeo.com/', // Video preview thumbnail for Vimeo + ], ]; public function __construct(protected Config $config, protected array $cspHeaderOptions = [])