From 19f2246fcce98cd839053767973c637952538373 Mon Sep 17 00:00:00 2001
From: JuniorJPDJ <git@juniorjpdj.pl>
Date: Sat, 5 Nov 2022 17:53:22 +0000
Subject: [PATCH] Fix CORS for media files and allow wasm-unsafe-eval for
 visualizer (fixes #1937 and #1934)

---
 changes/changelog.d/1934.bugfix      | 1 +
 changes/changelog.d/1937.bugfix      | 1 +
 deploy/nginx.template                | 9 ++++++---
 front/docker/funkwhale.conf.template | 9 ++++++---
 4 files changed, 14 insertions(+), 6 deletions(-)
 create mode 100644 changes/changelog.d/1934.bugfix
 create mode 100644 changes/changelog.d/1937.bugfix

diff --git a/changes/changelog.d/1934.bugfix b/changes/changelog.d/1934.bugfix
new file mode 100644
index 000000000..2ccb1287c
--- /dev/null
+++ b/changes/changelog.d/1934.bugfix
@@ -0,0 +1 @@
+Fix changing visualizer CORS error (#1934).
diff --git a/changes/changelog.d/1937.bugfix b/changes/changelog.d/1937.bugfix
new file mode 100644
index 000000000..9ffc14382
--- /dev/null
+++ b/changes/changelog.d/1937.bugfix
@@ -0,0 +1 @@
+Allow playback of media from external frontend (#1937).
diff --git a/deploy/nginx.template b/deploy/nginx.template
index a1e717729..bb7782cef 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -44,7 +44,7 @@ server {
     # If you are using S3 to host your files, remember to add your S3 URL to the
     # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
 
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
     add_header Referrer-Policy "strict-origin-when-cross-origin";
     add_header X-Frame-Options "SAMEORIGIN" always;
 
@@ -85,7 +85,7 @@ server {
     }
 
     location /front/ {
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
         add_header Service-Worker-Allowed "/";
         alias ${FUNKWHALE_FRONTEND_PATH}/;
@@ -94,7 +94,7 @@ server {
         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
     location = /front/embed.html {
-        add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
+        add_header Content-Security-Policy "connect-src https: http: 'self' 'wasm-unsafe-eval'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
 
         add_header X-Frame-Options "" always;
@@ -122,6 +122,7 @@ server {
 
     location /media/ {
         alias ${MEDIA_ROOT}/;
+        add_header Access-Control-Allow-Origin '*';
     }
 
     location /_protected/media/ {
@@ -130,6 +131,7 @@ server {
         # has been checked on API side
         internal;
         alias   ${MEDIA_ROOT};
+        add_header Access-Control-Allow-Origin '*';
     }
 
     # Comment the previous location and uncomment this one if you're storing
@@ -148,6 +150,7 @@ server {
         # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
         internal;
         alias   ${MUSIC_DIRECTORY_SERVE_PATH};
+        add_header Access-Control-Allow-Origin '*';
     }
 
     location /staticfiles/ {
diff --git a/front/docker/funkwhale.conf.template b/front/docker/funkwhale.conf.template
index 61d5b870b..f6fa357f3 100644
--- a/front/docker/funkwhale.conf.template
+++ b/front/docker/funkwhale.conf.template
@@ -18,7 +18,7 @@ server {
     # If you are using S3 to host your files, remember to add your S3 URL to the
     # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:).
 
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
     add_header Referrer-Policy "strict-origin-when-cross-origin";
     add_header X-Frame-Options "SAMEORIGIN" always;
 
@@ -30,7 +30,7 @@ server {
     }
 
     location /front/ {
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
         add_header Service-Worker-Allowed "/";
         alias /usr/share/nginx/html/;
@@ -40,7 +40,7 @@ server {
     }
 
     location = /front/embed.html {
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
 
         add_header X-Frame-Options "" always;
@@ -68,6 +68,7 @@ server {
 
     location /media/ {
         alias ${MEDIA_ROOT}/;
+        add_header Access-Control-Allow-Origin '*';
     }
 
     # This is an internal location that is used to serve
@@ -81,6 +82,7 @@ server {
         # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
 #       proxy_set_header Authorization "";                                  # S3
 #       proxy_pass $1;                                                      # S3
+        add_header Access-Control-Allow-Origin '*';
     }
 
     location /_protected/music/ {
@@ -90,6 +92,7 @@ server {
         # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
         internal;
         alias   ${MUSIC_DIRECTORY_PATH}/;
+        add_header Access-Control-Allow-Origin '*';
     }
 
     location /staticfiles/ {