csp: allow twitter embeds in blog posts

2018-05-09 12:06:09 +02:00 · 2018-05-09 12:06:09 +02:00 · 2e214dc6ea
parent 4542fc5906
commit 2e214dc6ea
2 changed files with 8 additions and 1 deletions
--- a/app/views/blog/layout.scala.html
+++ b/app/views/blog/layout.scala.html
@ -10,7 +10,8 @@ title = title,
 moreCss = cssTag("blog.css"),
 moreJs = pageJs,
 side = side,
-openGraph = openGraph) {
+openGraph = openGraph,
+csp = defaultCsp.withTwitter.some) {
 <div id="lichess_blog" class="content_box">
  @body
 </div>
--- a/modules/common/src/main/ContentSecurityPolicy.scala
+++ b/modules/common/src/main/ContentSecurityPolicy.scala
@ -40,6 +40,12 @@ case class ContentSecurityPolicy(
    scriptSrc = Nil
  )

+  def withTwitter = copy(
+    scriptSrc = "https://platform.twitter.com" :: "https://*.twimg.com" :: scriptSrc,
+    childSrc = "https://platform.twitter.com" :: childSrc,
+    styleSrc = "https://platform.twitter.com" :: styleSrc
+  )
+
  override def toString: String =
    List(
      "default-src " -> defaultSrc,