Fix: Add video service providers to CSP allow list (#527)

This adds the URLs of currently used video services to the CSP allow list for type frame so that video preview thumbnails are shown in backend. Before this fix the video preview thumbnails are not shown but instead following message is logged to console: `Refused to frame 'https://www.youtube-nocookie.com/' because it violates the following Content Security Policy directive: "frame-src 'self' data:".`
pimcore · Jul 1, 2024 · cfc797e · cfc797e
1 parent f12d81d
commit cfc797e
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/Security/ContentSecurityPolicyHandler.php b/src/Security/ContentSecurityPolicyHandler.php
@@ -56,6 +56,11 @@ class ContentSecurityPolicyHandler implements LoggerAwareInterface
         self::SCRIPT_OPT => [
             'https://buttons.github.io/buttons.js', // GitHub star button on login page
         ],
+        self::FRAME_OPT => [
+            'https://www.youtube-nocookie.com/', // Video preview thumbnail for YouTube
+            'https://www.dailymotion.com/',      // Video preview thumbnail for Dailymotion
+            'https://player.vimeo.com/',         // Video preview thumbnail for Vimeo
+        ],
     ];
 
     public function __construct(protected Config $config, protected array $cspHeaderOptions = [])