mirror of
https://github.com/element-hq/synapse.git
synced 2024-11-26 03:25:53 +03:00
added "media-src: 'self'" to CSP for resources (#3578)
Synapse doesn’t allow for media resources to be played directly from Chrome. It is a problem for users on other networks (e.g. IRC) communicating with Matrix users through a gateway. The gateway sends them the raw URL for the resource when a Matrix user uploads a video and the video cannot be played directly in Chrome using that URL. Chrome argues it is not authorized to play the video because of the Content Security Policy. Chrome checks for the "media-src" policy which is missing, and defauts to the "default-src" policy which is "none". As Synapse already sends "object-src: 'self'" I thought it wouldn’t be a problem to add "media-src: 'self'" to the CSP to fix this problem.
This commit is contained in:
parent
94f7befc31
commit
6cf261930a
2 changed files with 2 additions and 0 deletions
1
changelog.d/3578.bugfix
Normal file
1
changelog.d/3578.bugfix
Normal file
|
@ -0,0 +1 @@
|
|||
Fix problem when playing media from Chrome using direct URL (thanks @remjey!)
|
|
@ -52,6 +52,7 @@ class DownloadResource(Resource):
|
|||
b" script-src 'none';"
|
||||
b" plugin-types application/pdf;"
|
||||
b" style-src 'unsafe-inline';"
|
||||
b" media-src 'self';"
|
||||
b" object-src 'self';"
|
||||
)
|
||||
server_name, media_id, name = parse_media_id(request)
|
||||
|
|
Loading…
Reference in a new issue