Merge pull request #1211 from noesya/fix-iframe-url

fix iframe url in csp

Merge pull request #1211 from noesya/fix-iframe-url
d36dc94f · Sébastien Gaya · GitHub · 6d1a8228 · f5023744 · d36dc94f
Unverified Commit d36dc94f authored 1 year ago by Sébastien Gaya Committed by GitHub 1 year ago
--- a/app/models/communication/website/with_security.rb
+++ b/app/models/communication/website/with_security.rb
@@ -32,7 +32,8 @@ module Communication::Website::WithSecurity
    list = []
    blocks.where(template_kind: :video).each do |block|
      video_url = block.template.url
-      list << URI.parse(video_url).host if url.present?
+      next unless video_url.present?
+      list << Video::Provider.find(video_url).csp_domain
    end
    list
  end

--- a/app/services/video/provider/default.rb
+++ b/app/services/video/provider/default.rb
 class Video::Provider::Default
  DOMAINS = []
-  
+
  attr_reader :video_url

  include ActionView::Helpers::TagHelper
@@ -17,6 +17,10 @@ class Video::Provider::Default
    video_url
  end

+  def csp_domain
+    URI.parse(iframe_url).host
+  end
+
  def iframe_tag(**iframe_options)
    content_tag(:iframe, nil, default_iframe_options.merge(iframe_options))
  end
@@ -36,8 +40,8 @@ class Video::Provider::Default
  protected

  def url_in_domains?
-    self.class::DOMAINS.any? do |domain| 
-      video_url.include?(domain) 
+    self.class::DOMAINS.any? do |domain|
+      video_url.include?(domain)
    end
  end
 end
--- a/test/services/video/provider_test.rb
+++ b/test/services/video/provider_test.rb
@@ -10,26 +10,33 @@ class Video::ProviderTest < ActiveSupport::TestCase
  def test_vimeo
    provider = Video::Provider.find('https://vimeo.com/248482251')
    assert_equal Video::Provider::Vimeo, provider.class
+    assert_equal "player.vimeo.com", provider.csp_domain
  end

  def test_youtube
    provider = Video::Provider.find('https://www.youtube.com/watch?v=sN8Cq5HEBug')
    assert_equal Video::Provider::Youtube, provider.class
+    assert_equal "www.youtube.com", provider.csp_domain
    provider = Video::Provider.find('https://youtu.be/sN8Cq5HEBug')
    assert_equal Video::Provider::Youtube, provider.class
+    assert_equal "www.youtube.com", provider.csp_domain
  end

  def test_dailymotion
    provider = Video::Provider.find('https://www.dailymotion.com/video/x35l6b8')
    assert_equal Video::Provider::Dailymotion, provider.class
+    assert_equal "www.dailymotion.com", provider.csp_domain
    provider = Video::Provider.find('https://dai.ly/x35l6b8')
    assert_equal Video::Provider::Dailymotion, provider.class
+    assert_equal "www.dailymotion.com", provider.csp_domain
  end

  def test_peertube
    provider = Video::Provider.find('https://peertube.fr/w/1i848Qvi7Q3ytW2uPY8AxG')
    assert_equal Video::Provider::Peertube, provider.class
+    assert_equal "peertube.fr", provider.csp_domain
    provider = Video::Provider.find('https://peertube.my.noesya.coop/w/qBMwAAULLA9oadFgbtdyq8')
    assert_equal Video::Provider::Peertube, provider.class
+    assert_equal "peertube.my.noesya.coop", provider.csp_domain
  end
 end
\ No newline at end of file