search

YunoHost-Apps / castopod_ynh

Castopod package for YunoHost
https://podlibre.org/
GNU General Public License v3.0
23 stars 7 forks source link

Twitter Card Player does not display properly for episodes links #63

Closed ELCourtez closed 2 years ago

ELCourtez commented 2 years ago

Describe the bug

When share an episode link on Twitter, the Twitter Card Player does not display properly (this issue does not occur with Castopod instances not hosted with Yunohost)

Context

Steps to reproduce

Expected behavior

Player displays properly and episode can be play from Twitter directly

Logs

Response HTTP headers, the issue comes from the header in italic-bold

HTTP/2 200 OK server: nginx
content-type: text/html; charset=UTF-8 x-sso-wat: You've just been SSOed content-security-policy: upgrade-insecure-requests set-cookie: ci_session=rvuprd70a56mcsdqpms5pc6rho36i7ku; expires=Tue, 03-May-2022 23:12:25 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache cache-control: no-store, max-age=0, no-cache
date: Tue, 03 May 2022 21:12:27 GMT set-cookie: csrf_cookie_name=53259b0d1e51edd011657aa27d1e838b; expires=Tue, 03-May-2022 23:12:25 GMT; Max-Age=7198; path=/; HttpOnly; SameSite=Lax content-security-policy-report-only: default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'
x-content-type-options: nosniff x-xss-protection: 1; mode=block x-download-options: noopen x-permitted-cross-domain-policies: none x-frame-options: SAMEORIGIN permissions-policy: interest-cohort=() strict-transport-security: max-age=63072000; includeSubDomains; preload X-Firefox-Spdy: h2

Provisional resolution (probably not applicable for all configurations)

ericgaspar commented 2 years ago

I am not using Castopod myself... Can you test this brench see if it fixes the issue?

sudo yunohost app upgrade castopod -u https://github.com/YunoHost-Apps/castopod_ynh/tree/nginx
ELCourtez commented 2 years ago

I have a message castopod is already up-to-date and no changes have been applied

Maybe the app version into the manifest file has to be incremented for this upgrade to take effect ?

admin@woodphant:/etc/nginx/conf.d $ sudo yunohost app upgrade castopod -u https://github.com/YunoHost-Apps/castopod_ynh/tree/nginx
Info: Now upgrading castopod...
Success! castopod is already up-to-date
Success! Upgrade complete
ericgaspar commented 2 years ago

just use the option --force

sudo yunohost app upgrade castopod -u https://github.com/YunoHost-Apps/castopod_ynh/tree/nginx --force
ELCourtez commented 2 years ago

After upgrade this is still KO, I corrected as you can see below

  # Add headers to serve security related headers
  #more_set_headers "Strict-Transport-Security: frame-ancestors http://*:* https://*:*";
  more_set_headers "Content-Security-Policy : frame-ancestors http://*:* https://*:*";
ghost commented 2 years ago

I am having this same issue. Tried to edit as above reply still nogo.

navanchauhan commented 2 years ago

Okay, I investigated this a bit and even though the twitter card validator does not work, sharing on twitter generates the correct OpenGraph Card. To get the episode to play inline on twitter, the "X-Frame-Options" header needs to be disabled because the default nginx configuration adds this header with the value "SAMEORIGIN"

image

image

image

The required line to be added is:

more_clear_headers 'X-Frame-Options';

This will make the inline player work on twitter. Do note that for some reason you cannot validate the URL on opengraph.xyz or cards-dev.twitter.com but the OpenGraph cards do work properly on all websites I have tested (Facebook, LinkedIn, Twitter)

(I also disabled the SSOWAT panel cause it was annoying)

navanchauhan commented 2 years ago

@ericgaspar do you want me to open a PR with the patch I have mentioned along with upgrading to the latest version?