From f3ab45a152fbef9112daab580e3a11ecd9130962 Mon Sep 17 00:00:00 2001 From: Aman Agrawal Date: Wed, 11 Oct 2023 05:34:50 +0000 Subject: [PATCH] uploads-internal: Mark `self` as a valid source of loading media. Without this, browser refused to play the video. To reproduce press `open` on an uploaded video on CZO. Chrome gives us the following error in console: Refused to load media from '' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback. --- .../files/nginx/zulip-include-frontend/uploads-internal.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf index 5e426b7159..2ad1778386 100644 --- a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf +++ b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf @@ -2,7 +2,7 @@ location ~ ^/internal/s3/(?[^/]+)/(?.*) { internal; include /etc/nginx/zulip-include/headers; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; + add_header Content-Security-Policy "default-src 'none'; media-src: 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; # The components of this path are originally double-URI-escaped # (see zerver/view/upload.py). "location" matches are on @@ -46,7 +46,7 @@ location ~ ^/internal/s3/(?[^/]+)/(?.*) { location /internal/local/uploads { internal; include /etc/nginx/zulip-include/headers; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; + add_header Content-Security-Policy "default-src 'none'; media-src: 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; # Django handles setting Content-Type, Content-Disposition, and Cache-Control.