From 5e755fff9d70a7fd3c4f85bb524f1b774dd85b25 Mon Sep 17 00:00:00 2001
From: Rigel Kent <par@rigelk.eu>
Date: Thu, 13 Dec 2018 09:49:45 +0100
Subject: add Content Security Policy (#1252)

* add Content Security Policy

* remove reflect-metadata on production builds to get rid of unsafe-eval

* fix baseCSP usage

* add SRI to CSP

* add blob: to media-src

* remove SRI

* CSP set to reportOnly

* adding data: to connect-src CSP

* remove block-all-mixed-content

* add report-uri support
---
 server/controllers/client.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'server/controllers/client.ts')

diff --git a/server/controllers/client.ts b/server/controllers/client.ts
index 73b40cf65..e5bd487f1 100644
--- a/server/controllers/client.ts
+++ b/server/controllers/client.ts
@@ -2,7 +2,7 @@ import * as express from 'express'
 import { join } from 'path'
 import { root } from '../helpers/core-utils'
 import { ACCEPT_HEADERS, STATIC_MAX_AGE } from '../initializers'
-import { asyncMiddleware } from '../middlewares'
+import { asyncMiddleware, embedCSP } from '../middlewares'
 import { buildFileLocale, getCompleteLocale, is18nLocale, LOCALE_FILES } from '../../shared/models/i18n/i18n'
 import { ClientHtml } from '../lib/client-html'
 import { logger } from '../helpers/logger'
@@ -22,6 +22,7 @@ clientsRouter.use('/videos/watch/:id',
 
 clientsRouter.use('' +
   '/videos/embed',
+  embedCSP,
   (req: express.Request, res: express.Response, next: express.NextFunction) => {
     res.removeHeader('X-Frame-Options')
     res.sendFile(embedPath)
-- 
cgit v1.2.3


From 9aac44236c84f17b14ce35e358a87389766e2743 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Fri, 14 Dec 2018 15:49:36 +0100
Subject: Add video title/description when rendering html

---
 server/controllers/client.ts | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

(limited to 'server/controllers/client.ts')

diff --git a/server/controllers/client.ts b/server/controllers/client.ts
index e5bd487f1..f17f2a5d2 100644
--- a/server/controllers/client.ts
+++ b/server/controllers/client.ts
@@ -16,22 +16,20 @@ const testEmbedPath = join(distPath, 'standalone', 'videos', 'test-embed.html')
 
 // Special route that add OpenGraph and oEmbed tags
 // Do not use a template engine for a so little thing
-clientsRouter.use('/videos/watch/:id',
-  asyncMiddleware(generateWatchHtmlPage)
-)
+clientsRouter.use('/videos/watch/:id', asyncMiddleware(generateWatchHtmlPage))
 
-clientsRouter.use('' +
+clientsRouter.use(
   '/videos/embed',
   embedCSP,
-  (req: express.Request, res: express.Response, next: express.NextFunction) => {
+  (req: express.Request, res: express.Response) => {
     res.removeHeader('X-Frame-Options')
     res.sendFile(embedPath)
   }
 )
-clientsRouter.use('' +
-  '/videos/test-embed', (req: express.Request, res: express.Response, next: express.NextFunction) => {
-  res.sendFile(testEmbedPath)
-})
+clientsRouter.use(
+  '/videos/test-embed',
+  (req: express.Request, res: express.Response) => res.sendFile(testEmbedPath)
+)
 
 // Static HTML/CSS/JS client files
 
@@ -90,7 +88,7 @@ export {
 // ---------------------------------------------------------------------------
 
 async function generateHTMLPage (req: express.Request, res: express.Response, paramLang?: string) {
-  const html = await ClientHtml.getIndexHTML(req, res, paramLang)
+  const html = await ClientHtml.getDefaultHTMLPage(req, res, paramLang)
 
   return sendHTML(html, res)
 }
-- 
cgit v1.2.3