Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permit embed with global login #1092

Closed

Conversation

yatesdr
Copy link
Contributor

@yatesdr yatesdr commented Oct 23, 2024

1). Add a settings key to optionally allow embedding videos from a list of trusted referers when GLOBAL_LOGIN_REQUIRED is true. This is useful if you wish to use MediaCMS as a back-end content manager, with the embedded files being used on another site.

2). If above option is set, modify the auth-bypass regex list in settings.py to permit loading from all origins in the embed view without auth, to paths in r'^/embed.*' and r'^/media/.*'

3). Modify embed view to validate embed requests against the list of allowed referers - check request.META['HTTP_REFERER'], parse the domain, and compare to the list. This required including urlparse to perform the domain parse in a reliable and standard way in this view.

4). Create a "fake player" to render (templates/cms/embed-403.html) with a mock 403 error, that fits to parent element and is generally styled like a vis player element. This is required since embedding in rich content editors often does not properly set referrer on otherwise trusted sites, and giving a 500 API error or redirecting to the MediaCMS main login page is not desirable in this use case.

Example "Bad referrer" render in the stock embed iframe:
image

5). Doc updates to reflect this new option and its usage.

yatesdr and others added 23 commits October 18, 2024 00:37
Add an optional ALLOWED_DOMAINS_FOR_USER_REGISTRATION key.
Defensively check for attribute before querying.
Short documentation for ALLOWED_DOMAINS_FOR_USER_REGISTRATION addition.
Add variable and logic for bypassing auth for embedded video links from trusted referers.
Add view logic to allow serving embedded videos to trusted referers when GLOBAL_LOGIN... is enabled.
Added doc for permitting embed from trusted referers.
import ulrparse for parsing HTTP_REFERER domain in a standard way.
Adjusted logic for referring domain / hostname detection.
Remove duplicate include for PermissionDenied.
Clarify the CORS requirements for cross-host embedding with global login.
Return a render /HTTP200 to avoid leaking login page to external sites.
Dummy render 403 in render response on embed host not authorized.
Render a fake player for content-layout in rich editors which use embed linkings but do not set referer tokens.
Fix vertical layout.
@yatesdr
Copy link
Contributor Author

yatesdr commented Oct 23, 2024

Pull request contained other content, will re-issue.

@yatesdr yatesdr closed this Oct 23, 2024
@mgogoulos
Copy link
Contributor

ping

@yatesdr
Copy link
Contributor Author

yatesdr commented Oct 30, 2024

Check in draft PR #1093, it pulled a new # when I opened just these changes as a draft. Some of the linting is still not passing and I'm not sure how to fix it, but it seems unrelated to my PR.

@mgogoulos
Copy link
Contributor

thanks, I'll have a look as soon as I can :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants