Skip to content

playvideos: improves Content-Security-Policy (CSP) compliance#2110

Open
thican wants to merge 1 commit intoshaarli:masterfrom
thican:CSP-playvideos
Open

playvideos: improves Content-Security-Policy (CSP) compliance#2110
thican wants to merge 1 commit intoshaarli:masterfrom
thican:CSP-playvideos

Conversation

@thican
Copy link

@thican thican commented Nov 16, 2024

Improves situation for #1513.

I hope it can integrate milestone 0.14.0 (#2105).

@nodiscc nodiscc added this to the 0.14.0 milestone Nov 17, 2024
@nodiscc nodiscc self-requested a review November 17, 2024 11:11
nodiscc
nodiscc reviewed Nov 17, 2024
View reviewed changes
Copy link
Member

@nodiscc nodiscc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While we're at it, couldn't we automate the download of https://code.jquery.com/jquery-3.7.1.min.js during frontend builds? Instead of vendoring a massive minified js file

@thican
Copy link
Author

thican commented Nov 17, 2024

While we're at it, couldn't we automate the download of https://code.jquery.com/jquery-3.7.1.min.js during frontend builds? Instead of vendoring a massive minified js file

Good idea, just I am not aware on how to make it work (yet?) but I approve this.

@thican
Copy link
Author

thican commented Nov 17, 2024

I guess the plugin could be rewritten to discard usage of jquery, nowadays, no? I am not a Web dev so I might be wrong ;-)
As far as I understand the code of this plugin (why is it so much obfuscated!?), it simplifies the creation of tag such as div and a with CSS content to only create the play box which hold the frame for the video host. I guess jQuery is not really required with modern browsers for just those capabilities, no?

However I am a bit lost with the frontend build usage, I managed to integrate jquery with the correct version and verified its fingerprints, but is it okay then I load the JS script from its path node_modules/jquery/dist/jquery.min.js?

@thican thican force-pushed the CSP-playvideos branch 3 times, most recently from e94cd36 to f442975 Compare November 18, 2024 04:43
@nodiscc nodiscc modified the milestones: 0.14.0, 0.15.0 Dec 8, 2024
@nodiscc nodiscc self-requested a review January 1, 2025 12:58
@7Ds7 7Ds7 mentioned this pull request Apr 10, 2025
Merged
@7Ds7
Copy link

7Ds7 commented Apr 10, 2025

I guess the plugin could be rewritten to discard usage of jquery, nowadays, no? I am not a Web dev so I might be wrong ;-) As far as I understand the code of this plugin (why is it so much obfuscated!?), it simplifies the creation of tag such as div and a with CSS content to only create the play box which hold the frame for the video host. I guess jQuery is not really required with modern browsers for just those capabilities, no?

However I am a bit lost with the frontend build usage, I managed to integrate jquery with the correct version and verified its fingerprints, but is it okay then I load the JS script from its path node_modules/jquery/dist/jquery.min.js?

This comment made me look at the whole jquery video player plugin situation i came up with a solution that might be worth it here

nodiscc
nodiscc requested changes May 1, 2025
View reviewed changes
Copy link
Member

@nodiscc nodiscc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since #2138 was merged, I think this PR only needs to include the changes to plugins/playvideos/README.md

@nodiscc nodiscc modified the milestones: 0.15.0, 0.16.0 Jun 11, 2025
@thican
playvideos: updates README.md for CSP instructions
9ef3ad9 
Signed-off-by: Thibaud CANALE <thican@thican.net>
@nodiscc nodiscc removed this from the 0.16.0 milestone Jan 24, 2026
@nodiscc nodiscc added this to the 0.17.0 milestone Jan 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nodiscc nodiscc nodiscc requested changes

Assignees

No one assigned

Labels

enhancement in review javascript client-side rendering security

Projects

None yet

Milestone

0.17.0

Development

Successfully merging this pull request may close these issues.

3 participants

@thican @7Ds7 @nodiscc