diff options
| -rw-r--r-- | boot.php | 10 | ||||
| -rw-r--r-- | include/oembed.php | 6 |
2 files changed, 9 insertions, 7 deletions
@@ -2423,10 +2423,12 @@ function construct_page() { header("Strict-Transport-Security: max-age=31536000"); if(isset(App::$config['system']['content_security_policy'])) { - $cspsettings = Array ( - 'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"), - 'style-src' => Array ("'self'","'unsafe-inline'") - ); + $cspsettings = [ + 'script-src' => [ "'self'", "'unsafe-inline'", "'unsafe-eval'" ], + 'style-src' => [ "'self'", "'unsafe-inline'" ], + 'frame-src' => [ "'self'" ] + ]; + call_hooks('content_security_policy',$cspsettings); // Legitimate CSP directives (cxref: https://content-security-policy.com/) diff --git a/include/oembed.php b/include/oembed.php index 01cd8945f..9a25686fa 100644 --- a/include/oembed.php +++ b/include/oembed.php @@ -193,9 +193,9 @@ function oembed_fetch_url($embedurl){ // Youtube will happily hand us an http oembed URL even if we specify an https link; and the returned http link will fail with a 40x if you try and fetch it // This is not our bug, but good luck getting google to fix it. - if (strpos($href,'http:') === 0 && strpos($href,'youtu') !== false) { - $href = str_replace('http:','https:', $href); - } + //if (strpos($href,'http:') === 0 && strpos($href,'youtu') !== false) { + // $href = str_replace('http:','https:', $href); + //} $x = z_fetch_url($href . '&maxwidth=' . App::$videowidth); if($x['success']) |