summary refs log tree commit diff
path: root/synapse/rest
diff options
context:
space:
mode:
authorJérémy Farnaud <remjey@users.noreply.github.com>2018-09-25 12:55:02 +0200
committerRichard van der Hoff <1389908+richvdh@users.noreply.github.com>2018-09-25 11:55:02 +0100
commit6cf261930ac4c5f08cd3d6bf1f5a37a2889f6e7b (patch)
treecad6e0c13d8a8c1e6686897da6c674cb6e6e5693 /synapse/rest
parentMerge pull request #3925 from matrix-org/erikj/fix_producers_unregistered (diff)
downloadsynapse-6cf261930ac4c5f08cd3d6bf1f5a37a2889f6e7b.tar.xz
added "media-src: 'self'" to CSP for resources (#3578)
Synapse doesn’t allow for media resources to be played directly from
Chrome. It is a problem for users on other networks (e.g. IRC)
communicating with Matrix users through a gateway. The gateway sends
them the raw URL for the resource when a Matrix user uploads a video
and the video cannot be played directly in Chrome using that URL.

Chrome argues it is not authorized to play the video because of the
Content Security Policy. Chrome checks for the "media-src" policy which
is missing, and defauts to the "default-src" policy which is "none".

As Synapse already sends "object-src: 'self'" I thought it wouldn’t be
a problem to add "media-src: 'self'" to the CSP to fix this problem.
Diffstat (limited to 'synapse/rest')
-rw-r--r--synapse/rest/media/v1/download_resource.py1
1 files changed, 1 insertions, 0 deletions
diff --git a/synapse/rest/media/v1/download_resource.py b/synapse/rest/media/v1/download_resource.py
index ca90964d1d..f911b120b1 100644
--- a/synapse/rest/media/v1/download_resource.py
+++ b/synapse/rest/media/v1/download_resource.py
@@ -52,6 +52,7 @@ class DownloadResource(Resource):
             b" script-src 'none';"
             b" plugin-types application/pdf;"
             b" style-src 'unsafe-inline';"
+            b" media-src 'self';"
             b" object-src 'self';"
         )
         server_name, media_id, name = parse_media_id(request)