From e326eedf623e26aebfad767f973e98a076c76401 Mon Sep 17 00:00:00 2001
From: lum <klum@labkey.com>
Date: Thu, 20 Feb 2025 14:42:16 -0800
Subject: [PATCH] frame-src exclusion

---
 src/org/labkey/cds/CDSController.java | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/src/org/labkey/cds/CDSController.java b/src/org/labkey/cds/CDSController.java
index f2c8d74be..8adf73af8 100644
--- a/src/org/labkey/cds/CDSController.java
+++ b/src/org/labkey/cds/CDSController.java
@@ -41,18 +41,8 @@
 import org.labkey.api.action.SimpleViewAction;
 import org.labkey.api.action.SpringActionController;
 import org.labkey.api.collections.CaseInsensitiveHashMap;
-import org.labkey.api.data.BaseColumnInfo;
 import org.labkey.api.data.Container;
-import org.labkey.api.data.CoreSchema;
-import org.labkey.api.data.DataColumn;
-import org.labkey.api.data.DisplayColumn;
-import org.labkey.api.data.ExcelWriter;
-import org.labkey.api.data.JdbcType;
-import org.labkey.api.data.Results;
-import org.labkey.api.data.ResultsImpl;
 import org.labkey.api.data.SimpleFilter;
-import org.labkey.api.data.SqlSelector;
-import org.labkey.api.data.StashingResultsFactory;
 import org.labkey.api.data.TSVMapWriter;
 import org.labkey.api.data.TableInfo;
 import org.labkey.api.data.TableSelector;
@@ -66,13 +56,13 @@
 import org.labkey.api.rss.RSSFeed;
 import org.labkey.api.rss.RSSService;
 import org.labkey.api.security.AuthenticationManager;
+import org.labkey.api.security.Directive;
 import org.labkey.api.security.Group;
 import org.labkey.api.security.IgnoresTermsOfUse;
 import org.labkey.api.security.LimitedUser;
 import org.labkey.api.security.MethodsAllowed;
 import org.labkey.api.security.RequiresNoPermission;
 import org.labkey.api.security.RequiresPermission;
-import org.labkey.api.security.RequiresSiteAdmin;
 import org.labkey.api.security.RoleAssignment;
 import org.labkey.api.security.SecurityManager;
 import org.labkey.api.security.User;
@@ -87,8 +77,6 @@
 import org.labkey.api.util.JsonUtil;
 import org.labkey.api.util.PageFlowUtil;
 import org.labkey.api.util.Path;
-import org.labkey.api.util.element.CsrfInput;
-import org.labkey.api.view.HtmlView;
 import org.labkey.api.view.HttpView;
 import org.labkey.api.view.JspView;
 import org.labkey.api.view.NavTree;
@@ -101,6 +89,7 @@
 import org.labkey.api.webdav.WebdavService;
 import org.labkey.cds.view.template.ConnectorTemplate;
 import org.labkey.cds.view.template.FrontPageTemplate;
+import org.labkey.filters.ContentSecurityPolicyFilter;
 import org.springframework.beans.PropertyValues;
 import org.springframework.validation.BindException;
 import org.springframework.web.servlet.ModelAndView;
@@ -110,7 +99,6 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
-import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
@@ -133,6 +121,9 @@ public class CDSController extends SpringActionController
 {
     static
     {
+        // CSP frame-src exemption
+        ContentSecurityPolicyFilter.registerAllowedSources(Directive.Frame, CDSModule.GETTING_STARTED_VIDEO_URL, "https://player.vimeo.com");
+
         try
         {
             Class.forName("org.labkey.query.jdbc.QueryDriver");