Verified Commit 23ad40d8 authored by Lauri Timmanee's avatar Lauri Timmanee
Browse files

Issue #2962753 by ivnish, asawari, sagarmohite0031, phenaproxima, smustgrave,...

Issue #2962753 by ivnish, asawari, sagarmohite0031, phenaproxima, smustgrave, longwave, pameeela, sime, joelpittet, quietone: Remove oEmbed security warning
parent a44cf1ef
Loading
Loading
Loading
Loading
Loading
+0 −31
Original line number Diff line number Diff line
@@ -12,8 +12,6 @@
use Drupal\Core\Url;
use Drupal\image\Plugin\Field\FieldType\ImageItem;
use Drupal\media\Entity\MediaType;
use Drupal\media\MediaTypeInterface;
use Drupal\media\Plugin\media\Source\OEmbedInterface;
use Drupal\user\RoleInterface;

/**
@@ -78,35 +76,6 @@ function media_requirements($phase) {
    }
  }
  elseif ($phase === 'runtime') {
    // Check that oEmbed content is served in an iframe on a different domain,
    // and complain if it isn't.
    $domain = \Drupal::config('media.settings')->get('iframe_domain');

    if (!\Drupal::service('media.oembed.iframe_url_helper')->isSecure($domain)) {
      // Find all media types which use a source plugin that implements
      // OEmbedInterface.
      $media_types = \Drupal::entityTypeManager()
        ->getStorage('media_type')
        ->loadMultiple();

      $oembed_types = array_filter($media_types, function (MediaTypeInterface $media_type) {
        return $media_type->getSource() instanceof OEmbedInterface;
      });

      if ($oembed_types) {
        // @todo Potentially allow site administrators to suppress this warning
        // permanently. See https://www.drupal.org/project/drupal/issues/2962753
        // for more information.
        $requirements['media_insecure_iframe'] = [
          'title' => t('Media'),
          'description' => t('It is potentially insecure to display oEmbed content in a frame that is served from the same domain as your main Drupal site, as this may allow execution of third-party code. <a href=":url">You can specify a different domain for serving oEmbed content here</a>.', [
            ':url' => Url::fromRoute('media.settings')->setAbsolute()->toString(),
          ]),
          'severity' => REQUIREMENT_WARNING,
        ];
      }
    }

    $module_handler = \Drupal::service('module_handler');
    foreach (MediaType::loadMultiple() as $type) {
      // Load the default display.
+0 −15
Original line number Diff line number Diff line
@@ -29,21 +29,6 @@ protected function setUp(): void {
    ]));
  }

  /**
   * Tests that media warning appears if oEmbed media types exists.
   */
  public function testStatusPage(): void {
    $assert_session = $this->assertSession();

    $this->drupalGet('admin/reports/status');
    $assert_session->pageTextNotContains('It is potentially insecure to display oEmbed content in a frame');

    $this->createMediaType('oembed:video');

    $this->drupalGet('admin/reports/status');
    $assert_session->pageTextContains('It is potentially insecure to display oEmbed content in a frame');
  }

  /**
   * Tests that the media settings form stores a `null` iFrame domain.
   */