This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
added "media-src: 'self'" to CSP for resources #3578
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Synapse doesn’t allow for media resources to be played directly from Chrome. It is a problem for users on other networks (e.g. IRC) communicating with Matrix users through a gateway. The gateway sends them the raw URL for the resource when a Matrix user uploads a video and the video cannot be played directly in Chrome using that URL. Chrome argues it is not authorized to play the video because of the Content Security Policy. Chrome checks for the "media-src" policy which is missing, and defauts to the "default-src" policy which is "none". As Synapse already sends "object-src: 'self'" I thought it wouldn’t be a problem to add "media-src: 'self'" to the CSP to fix this problem.
|
Can one of the admins verify this patch? |
1 similar comment
|
Can one of the admins verify this patch? |
Signed-off-by: Jérémy Farnaud <[email protected]>
richvdh
suggested changes
Sep 18, 2018
|
Note: Whatever happens here, the official suggestion in the spec should be updated alongside it: https://matrix.org/docs/spec/client_server/r0.4.0.html#id112 |
|
Thanks. @dbkr can you comment on the sanity of the CSP change? |
richvdh
suggested changes
Sep 19, 2018
|
This looks fine: it'll allow you to upload an html page with a |
|
@dbkr: thanks. Do you think we should also update the spec as travis suggests? |
|
Oh, yep, if it's in the spec too we should change it there. |
richvdh
approved these changes
Sep 25, 2018
https://github.com/matrix-org/matrix-doc/issues/1684 |
|
ugh now the tests are failing because the branch is out-of-date relative to sytest. merging anyway because bb5d380 passed. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Synapse doesn’t allow for media resources to be played directly from
Chrome. It is a problem for users on other networks (e.g. IRC)
communicating with Matrix users through a gateway. The gateway sends
them the raw URL for the resource when a Matrix user uploads a video
and the video cannot be played directly in Chrome using that URL.
Chrome argues it is not authorized to play the video because of the
Content Security Policy. Chrome checks for the "media-src" policy which
is missing, and defauts to the "default-src" policy which is "none".
As Synapse already sends "object-src: 'self'" I thought it wouldn’t be
a problem to add "media-src: 'self'" to the CSP to fix this problem.