diff options
Diffstat (limited to 'app/controllers/media_controller.rb')
-rw-r--r-- | app/controllers/media_controller.rb | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb index 352a04c54..05cf09c28 100644 --- a/app/controllers/media_controller.rb +++ b/app/controllers/media_controller.rb @@ -9,6 +9,8 @@ class MediaController < ApplicationController before_action :authenticate_user!, if: :whitelist_mode? before_action :set_media_attachment before_action :verify_permitted_status! + before_action :check_playable, only: :player + before_action :allow_iframing, only: :player content_security_policy only: :player do |p| p.frame_ancestors(false) @@ -20,8 +22,6 @@ class MediaController < ApplicationController def player @body_classes = 'player' - response.headers['X-Frame-Options'] = 'ALLOWALL' - raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv? end private @@ -35,4 +35,12 @@ class MediaController < ApplicationController rescue Mastodon::NotPermittedError raise ActiveRecord::RecordNotFound end + + def check_playable + not_found unless @media_attachment.larger_media_format? + end + + def allow_iframing + response.headers['X-Frame-Options'] = 'ALLOWALL' + end end |