Add videos services to CSP (youtube-nocookie.com, meet.jit.si, etc) (d…

…ecidim#11155) * Fix content security policy * Remove openstreetmap from CSP * Apply review recommendations
Platoniq · Jul 28, 2023 · b6b024f · b6b024f
1 parent 894d19e
commit b6b024f
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 6 deletions.
diff --git a/decidim-core/lib/decidim/content_security_policy.rb b/decidim-core/lib/decidim/content_security_policy.rb
@@ -123,7 +123,7 @@ def default_policy
         "img-src" => %w('self' *.hereapi.com data:),
         "font-src" => %w('self'),
         "connect-src" => %w('self' *.hereapi.com *.jsdelivr.net),
-        "frame-src" => %w('self'),
+        "frame-src" => %w('self' www.youtube-nocookie.com player.vimeo.com),
         "media-src" => %w('self')
       }
     end

diff --git a/decidim-core/spec/controllers/concerns/content_security_policy_spec.rb b/decidim-core/spec/controllers/concerns/content_security_policy_spec.rb
@@ -46,7 +46,7 @@ def show
         expect(response.headers["Content-Security-Policy"]).to include("img-src 'self' *.hereapi.com data: https://via.placeholder.com;")
         expect(response.headers["Content-Security-Policy"]).to include("connect-src 'self' *.hereapi.com *.jsdelivr.net;")
         expect(response.headers["Content-Security-Policy"]).to include("font-src 'self';")
-        expect(response.headers["Content-Security-Policy"]).to include("frame-src 'self';")
+        expect(response.headers["Content-Security-Policy"]).to include("frame-src 'self' www.youtube-nocookie.com player.vimeo.com;")
         expect(response.headers["Content-Security-Policy"]).to include("media-src 'self'")
       end
 
@@ -61,7 +61,7 @@ def show
           expect(response.headers["Content-Security-Policy"]).to include("img-src 'self' *.hereapi.com data: https://via.placeholder.com https://img.example.org;")
           expect(response.headers["Content-Security-Policy"]).to include("connect-src 'self' *.hereapi.com *.jsdelivr.net https://connect.example.org;")
           expect(response.headers["Content-Security-Policy"]).to include("font-src 'self' https://font.example.org;")
-          expect(response.headers["Content-Security-Policy"]).to include("frame-src 'self' https://frame.example.org;")
+          expect(response.headers["Content-Security-Policy"]).to include("frame-src 'self' www.youtube-nocookie.com player.vimeo.com https://frame.example.org;")
           expect(response.headers["Content-Security-Policy"]).to include("media-src 'self' https://example.org")
         end
       end
@@ -76,7 +76,7 @@ def show
           expect(response.headers["Content-Security-Policy"]).to include("img-src 'self' *.hereapi.com data: https://img.example.org;")
           expect(response.headers["Content-Security-Policy"]).to include("connect-src 'self' *.hereapi.com *.jsdelivr.net https://connect.example.org;")
           expect(response.headers["Content-Security-Policy"]).to include("font-src 'self' https://font.example.org;")
-          expect(response.headers["Content-Security-Policy"]).to include("frame-src 'self' https://frame.example.org;")
+          expect(response.headers["Content-Security-Policy"]).to include("frame-src 'self' www.youtube-nocookie.com player.vimeo.com https://frame.example.org;")
           expect(response.headers["Content-Security-Policy"]).to include("media-src 'self' https://example.org")
         end
       end
@@ -122,7 +122,7 @@ def show
           expect(response.headers["Content-Security-Policy"]).to include("img-src 'self' *.hereapi.com data: https://img.example.org https://via.placeholder.com;")
           expect(response.headers["Content-Security-Policy"]).to include("connect-src 'self' *.hereapi.com *.jsdelivr.net https://connect.example.org;")
           expect(response.headers["Content-Security-Policy"]).to include("font-src 'self' https://font.example.org;")
-          expect(response.headers["Content-Security-Policy"]).to include("frame-src 'self' https://frame.example.org;")
+          expect(response.headers["Content-Security-Policy"]).to include("frame-src 'self' www.youtube-nocookie.com player.vimeo.com https://frame.example.org;")
           expect(response.headers["Content-Security-Policy"]).to include("media-src 'self' https://example.org")
         end
       end

diff --git a/decidim-core/spec/lib/content_security_policy_spec.rb b/decidim-core/spec/lib/content_security_policy_spec.rb
@@ -18,7 +18,7 @@ module Decidim
       it { expect(subject.output_policy).to include("img-src 'self' *.hereapi.com data:;") }
       it { expect(subject.output_policy).to include("connect-src 'self' *.hereapi.com *.jsdelivr.net;") }
       it { expect(subject.output_policy).to include("font-src 'self';") }
-      it { expect(subject.output_policy).to include("frame-src 'self';") }
+      it { expect(subject.output_policy).to include("frame-src 'self' www.youtube-nocookie.com player.vimeo.com;") }
       it { expect(subject.output_policy).to include("media-src 'self'") }
     end
 

diff --git a/decidim-meetings/lib/decidim/meetings/engine.rb b/decidim-meetings/lib/decidim/meetings/engine.rb
@@ -50,6 +50,12 @@ class Engine < ::Rails::Engine
         end
       end
 
+      initializer "decidim_meetings.content_security_handlers" do |_app|
+        Decidim.configure do |config|
+          config.content_security_policies_extra.deep_merge!({ "frame-src" => %w(player.twitch.tv meet.jit.si) })
+        end
+      end
+
       initializer "decidim_meetings.view_hooks" do
         Decidim.view_hooks.register(:participatory_space_highlighted_elements, priority: Decidim::ViewHooks::HIGH_PRIORITY) do |view_context|
           view_context.cell("decidim/meetings/highlighted_meetings", view_context.current_participatory_space)