search

pimcore / admin-ui-classic-bundle

Other
11 stars 100 forks source link

[Bug]: [Objects] External video preview image (YouTube) blocked due to CSP #526

Open podarcis opened 7 months ago

podarcis commented 7 months ago

Pimcore version

11.2.2

Steps to reproduce

  1. Have data field of type video.
  2. Choose external video (e.g. YouTube) and paste its YT-code.
  3. Preview image is blocked by the browser due to CSP.

Refused to frame 'https://www.youtube-nocookie.com/' because it violates the following Content Security Policy directive: "frame-src 'self' data:".

Actual Behavior

Preview image is blocked due to CSP and thus not shown.

Expected Behavior

As configuring YouTube in video field is a core functionality it should not require project specific configuring such as:

pimcore_admin:
    admin_csp_header:
        additional_urls:
            frame-src:
                - 'https://www.youtube-nocookie.com/'

Instead these external video services should be allowed by default in ContentSecurityPolicyHandler.

podarcis commented 7 months ago

I'd do a PR in pimcore/admin-ui-classic-bundle, when you confirm/label this issue (which you might also want to transfer to pimcore/admin-ui-classic-bundle).

github-actions[bot] commented 6 months ago

Thanks a lot for reporting the issue. We did not consider the issue as "Pimcore:Priority", "Pimcore:ToDo" or "Pimcore:Backlog", so we're not going to work on that anytime soon. Please create a pull request to fix the issue if this is a bug report. We'll then review it as quickly as possible. If you're interested in contributing a feature, please contact us first here before creating a pull request. We'll then decide whether we'd accept it or not. Thanks for your understanding.

AlternateIf commented 6 months ago

can confirm this

AlternateIf commented 6 months ago 
            - 'https://www.dailymotion.com/'
            - 'https://player.vimeo.com/'

should also be included

fashxp commented 6 months ago

PR would be great. Thx