Hide Forgot
Description of problem: Attempting to use this in our "Order" catalog page. <video width="320" height="240" controls> <source src="http://www.opentlc.com/videos/QCI_Demo_Training.mp4" type="video/mp4"> Your browser does not support the video tag. </video> Received this error message: Content Security Policy: The page’s settings blocked the loading of a resource at http://www.opentlc.com/videos/QCI_Demo_Training.mp4 (“default-src https://rhpds.redhat.com”). Version-Release number of selected component (if applicable): Cloudforms v4.1 How reproducible: Add above HTML snippet into Cloudforms page Steps to Reproduce: 1. Add above HTML snippet into Cloudforms page 2. 3. Actual results: Content Security Policy: The page’s settings blocked the loading of a resource at http://www.opentlc.com/videos/QCI_Demo_Training.mp4 (“default-src https://rhpds.redhat.com”). Expected results: Video to play within the page Additional info: Need to be able to set Content Security Policy to enable artifacts like mp4's to be available. https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy
Any updates on this bugzilla?
This is blocked on purpose. Why should we want to include content from other site inside Cloudforms OPS UI?
I am in the Red Hat Channel and we host all of our demo's/workshops on the Red Hat Partner Demo System(RHPDS)[1]. RHPDS is based on Cloudforms and we use it worldwide for hosting all Channel's demos, workshops, etc.. We include an external video link on the order page(aka catalog) of a given demo/workshop so that a Partner can watch a preview video inline on the page before determining if they should order the demo or not. With this restriction, the video must be downloaded prior to viewing and the actual appearance of the page is not as professional. From a time spent standpoint, it's one mouse click to play the preview video within the page versus several minutes download the mp4 video file. Here is a text view of an order page: ============================================================= Service "JBoss AMQ 6.3 Demo Name JBoss AMQ 6.3 Demo Description Long Description A-MQ Demo: This demo of A-MQ demonstrates a master/slave environment with a client load program that asserts load on a broker and demonstrates fail-over/fail-back when a master message broker fails. A-MQ features which can be demonstrated: -Web Console -High-Availability via fail-over/fail-back -Web Application demonstrating A-MQ with High-Availability. To access your demo: Open a web browser to https://amq-GUID.rhpds.opentlc.com/guacamole (where GUID is replaced with the GUID you will receive in an email). The username and password are your OPENTLC SSO credentials. Click the Demo link to start the remote desktop. Demo Preview Video: Click here Deploying Demos in RHPDS Intro Video: Click here ===================================================== My question is why would you want to restrict this access if the associated administrator wants to include content from a different site on a given Cloudforms web page assuming the associated domain has been configured to be safe via the Content Security Policy? -Doug [1] https://rhpds.redhat.com/
The reason to limit CSP as strict as possible is to mitigate possible attacks and/or limit attack surface. If one cannot insert custom content into a page then one cannot attack the application through such content. Be it a JPEG bug in a library used by a browser or anything else that we can't imagine at this point. For your particular scenario: Could you have the content in a directory on the appliance? Such as: https://rhpds.redhat.com/demo_data/ ? You can do this by adding a simple alias into your appliance's apache config. In such case the limitation would not be a problem. Please let me know if this is not helpful for you. I'd like to help to figure out some solution.
Putting content on rhpds.redhat.com/demo_data/xxxx is not an option. We do not own this system and we requested such a workaround and it was denied. I understand your reasoning above for the limit on CSP, but if a Administrator wants/requires to allow external content on a web page, they should have the option of enabling this capability and assuming the associated risks. I see this as no different than common Web pages today hosting external content. At a minimum, I think this should be documented that external content cannot be used on a web page with Cloudforms 4.x.
I spoke with the team which owns the publication of the web page and they are open to using an Alias, however, when they attempted to use an Alias, they responded with this information: "Something else in the appliance is overriding all of the Aliases and we get an error page stating "The page you were looking for doesn't exist." If they can provide an example of an Apache configuration that will work we will use that and host the videos on the appliance."
Can a working example of a Apache configuration w/CF v4.x be provided that demonstrates how to use an Apache Alias for accessing this content?