From 3c55a425c743fb17e8c538e9a56cacea2b8a67d6 Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Thu, 1 Nov 2018 20:39:33 +0100
Subject: [PATCH] Fix script domain for instagram in CSP header

closes #7920
---
 Changelog.md                          |  1 +
 config/initializers/secure_headers.rb | 26 +++++++++++++-------------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 1acd2cdb8..c0edec07b 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -10,6 +10,7 @@
 ## Bug fixes
 * Ignore invalid URLs for camo [#7922](https://github.com/diaspora/diaspora/pull/7922)
 * Unlinking a post did not update the participation icon without a reload [#7882](https://github.com/diaspora/diaspora/pull/7882)
+* Fix broken Instagram embedding [#7920](https://github.com/diaspora/diaspora/pull/7920)
 
 ## Features
 * Add the ability to assign roles in the admin panel [#7868](https://github.com/diaspora/diaspora/pull/7868)
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 57a5b72c8..d76d345b5 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -4,19 +4,19 @@ SecureHeaders::Configuration.default do |config|
   config.hsts = SecureHeaders::OPT_OUT # added by Rack::SSL
 
   csp = {
-    default_src:     %w('none'),
-    connect_src:     %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com),
-    font_src:        %w('self'),
-    form_action:     %w('self' platform.twitter.com syndication.twitter.com),
-    frame_ancestors: %w('self'),
-    frame_src:       %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
-                        player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
-                        www.instagram.com),
-    img_src:         %w('self' data: *),
-    media_src:       %w(https:),
-    script_src:      %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
-                        embedr.flickr.com platform.instagram.com 'unsafe-inline'),
-    style_src:       %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
+    default_src:     %w['none'],
+    connect_src:     %w['self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com],
+    font_src:        %w['self'],
+    form_action:     %w['self' platform.twitter.com syndication.twitter.com],
+    frame_ancestors: %w['self'],
+    frame_src:       %w['self' blob: www.youtube.com w.soundcloud.com twitter.com platform.twitter.com
+                        syndication.twitter.com player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de
+                        bandcamp.com www.instagram.com],
+    img_src:         %w['self' data: blob: *],
+    media_src:       %w[https:],
+    script_src:      %w['self' blob: 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
+                        embedr.flickr.com www.instagram.com 'unsafe-inline'],
+    style_src:       %w['self' 'unsafe-inline' platform.twitter.com *.twimg.com]
   }
 
   if AppConfig.environment.assets.host.present?