From 2c1a6f746fdce3654590cb2cb6703db24148cf59 Mon Sep 17 00:00:00 2001
From: jomo <github@jomo.tv>
Date: Tue, 18 Dec 2018 16:40:30 +0100
Subject: [PATCH] fix CSP / X-Frame-Options for media embeds (#9558)

---
 app/controllers/media_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 88c7232dd..8e1624ce1 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -6,12 +6,17 @@ class MediaController < ApplicationController
   before_action :set_media_attachment
   before_action :verify_permitted_status!
 
+  content_security_policy only: :player do |p|
+    p.frame_ancestors(false)
+  end
+
   def show
     redirect_to @media_attachment.file.url(:original)
   end
 
   def player
     @body_classes = 'player'
+    response.headers['X-Frame-Options'] = 'ALLOWALL'
     raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv?
   end