merge conflict

2 files changed, 9 insertions, 7 deletions

diff --git a/boot.php b/boot.php
index 28ca02f84..82ebea71a 100644
--- a/boot.php
+++ b/boot.php
@@ -2423,10 +2423,12 @@ function construct_page() {
 		header("Strict-Transport-Security: max-age=31536000");
 
 	if(isset(App::$config['system']['content_security_policy'])) {
-		$cspsettings = Array (
-			'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"),
-			'style-src' => Array ("'self'","'unsafe-inline'")
-		);
+		$cspsettings = [
+			'script-src' => [ "'self'", "'unsafe-inline'", "'unsafe-eval'" ],
+			'style-src'  => [ "'self'", "'unsafe-inline'" ],
+			'frame-src'  => [ "'self'" ]
+		];
+
 		call_hooks('content_security_policy',$cspsettings);
 
 		// Legitimate CSP directives (cxref: https://content-security-policy.com/)
diff --git a/include/oembed.php b/include/oembed.php
index 01cd8945f..9a25686fa 100644
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -193,9 +193,9 @@ function oembed_fetch_url($embedurl){
 
 						// Youtube will happily hand us an http oembed URL even if we specify an https link; and the returned http link will fail with a 40x if you try and fetch it
 						// This is not our bug, but good luck getting google to fix it.
-						if (strpos($href,'http:') === 0 && strpos($href,'youtu') !== false) {
-							$href = str_replace('http:','https:', $href);
-						}
+						//if (strpos($href,'http:') === 0 && strpos($href,'youtu') !== false) {
+						//	$href = str_replace('http:','https:', $href);
+						//}
 
 						$x = z_fetch_url($href . '&maxwidth=' . App::$videowidth);
 						if($x['success'])