Verified Commit 23ad40d8 authored by Lauri Timmanee's avatar Lauri Timmanee
Browse files

Issue #2962753 by ivnish, asawari, sagarmohite0031, phenaproxima, smustgrave,... 

Issue #2962753 by ivnish, asawari, sagarmohite0031, phenaproxima, smustgrave, longwave, pameeela, sime, joelpittet, quietone: Remove oEmbed security warning
parent a44cf1ef

core/modules/media/media.install

+0 −31
Original line number Diff line number Diff line
@@ -12,8 +12,6 @@ 
use Drupal\Core\Url;

use Drupal\image\Plugin\Field\FieldType\ImageItem;

use Drupal\media\Entity\MediaType;

use Drupal\media\MediaTypeInterface;

use Drupal\media\Plugin\media\Source\OEmbedInterface;

use Drupal\user\RoleInterface;



/**
@@ -78,35 +76,6 @@ function media_requirements($phase) { 
    }

  }

  elseif ($phase === 'runtime') {

    // Check that oEmbed content is served in an iframe on a different domain,

    // and complain if it isn't.

    $domain = \Drupal::config('media.settings')->get('iframe_domain');



    if (!\Drupal::service('media.oembed.iframe_url_helper')->isSecure($domain)) {

      // Find all media types which use a source plugin that implements

      // OEmbedInterface.

      $media_types = \Drupal::entityTypeManager()

        ->getStorage('media_type')

        ->loadMultiple();



      $oembed_types = array_filter($media_types, function (MediaTypeInterface $media_type) {

        return $media_type->getSource() instanceof OEmbedInterface;

      });



      if ($oembed_types) {

        // @todo Potentially allow site administrators to suppress this warning

        // permanently. See https://www.drupal.org/project/drupal/issues/2962753

        // for more information.

        $requirements['media_insecure_iframe'] = [

          'title' => t('Media'),

          'description' => t('It is potentially insecure to display oEmbed content in a frame that is served from the same domain as your main Drupal site, as this may allow execution of third-party code. <a href=":url">You can specify a different domain for serving oEmbed content here</a>.', [

            ':url' => Url::fromRoute('media.settings')->setAbsolute()->toString(),

          ]),

          'severity' => REQUIREMENT_WARNING,

        ];

      }

    }



    $module_handler = \Drupal::service('module_handler');

    foreach (MediaType::loadMultiple() as $type) {

      // Load the default display.

core/modules/media/tests/src/Functional/MediaSettingsTest.php

+0 −15
Original line number Diff line number Diff line
@@ -29,21 +29,6 @@ protected function setUp(): void { 
    ]));

  }



  /**

   * Tests that media warning appears if oEmbed media types exists.

   */

  public function testStatusPage(): void {

    $assert_session = $this->assertSession();



    $this->drupalGet('admin/reports/status');

    $assert_session->pageTextNotContains('It is potentially insecure to display oEmbed content in a frame');



    $this->createMediaType('oembed:video');



    $this->drupalGet('admin/reports/status');

    $assert_session->pageTextContains('It is potentially insecure to display oEmbed content in a frame');

  }



  /**

   * Tests that the media settings form stores a `null` iFrame domain.

   */