From a02a76cc8729dbca7d20f40d6fd02bd4a4f97613 Mon Sep 17 00:00:00 2001 From: Oliver Tacke Date: Thu, 18 Jun 2020 16:43:55 +0200 Subject: [PATCH 1/5] Set generous HTTP feature policy User still needs to confirm use of features. Server settings take precedence anyway. Can be overridden by setting H5P_HTTP_FEATURE_POLICY. --- public/class-h5p-plugin.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/public/class-h5p-plugin.php b/public/class-h5p-plugin.php index 94dbd93..0b9a7a6 100644 --- a/public/class-h5p-plugin.php +++ b/public/class-h5p-plugin.php @@ -66,6 +66,13 @@ class H5P_Plugin { */ protected static $settings = null; + /** + * Default settings for HTTP Feature Policy. + * + * @var string + */ + protected static $h5p_http_feature_policy = 'accelerometer *; autoplay *; camera *; fullscreen *; geolocation *; gyroscope *; magnetometer *; microphone *;'; + /** * Initialize the plugin by setting localization and loading public scripts * and styles. @@ -1042,7 +1049,15 @@ public function add_assets($content, $no_cache = FALSE) { return '
'; } else { - return '
'; + // Set HTTP feature policy attribute + if ( defined( 'H5P_HTTP_FEATURE_POLICY' ) && H5P_HTTP_FEATURE_POLICY ) { + $h5p_http_feature_policy = 'allow="' . H5P_HTTP_FEATURE_POLICY . '"'; + } + else { + $h5p_http_feature_policy = 'allow="' . self::$h5p_http_feature_policy . '"'; + } + + return '
'; } } From cbbe55a7be238a717cfeb24004cb54f9a3faec3c Mon Sep 17 00:00:00 2001 From: Oliver Tacke Date: Thu, 31 Mar 2022 00:01:38 +0200 Subject: [PATCH 2/5] Allow iframe content to write to clipboard Is used by Structure Strip, for instance --- public/class-h5p-plugin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/class-h5p-plugin.php b/public/class-h5p-plugin.php index f31bb5c..efee3d9 100644 --- a/public/class-h5p-plugin.php +++ b/public/class-h5p-plugin.php @@ -71,7 +71,7 @@ class H5P_Plugin { * * @var string */ - protected static $h5p_http_feature_policy = 'accelerometer *; autoplay *; camera *; fullscreen *; geolocation *; gyroscope *; magnetometer *; microphone *;'; + protected static $h5p_http_feature_policy = 'accelerometer *; autoplay *; camera *; clipboard-write *; fullscreen *; geolocation *; gyroscope *; magnetometer *; microphone *;'; /** * Initialize the plugin by setting localization and loading public scripts From ea0e34a732a8f609ab492d71b938214e6e9b88c7 Mon Sep 17 00:00:00 2001 From: Oliver Tacke Date: Fri, 1 Apr 2022 16:24:02 +0200 Subject: [PATCH 3/5] Add permission policy to embed code --- public/class-h5p-plugin.php | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/public/class-h5p-plugin.php b/public/class-h5p-plugin.php index efee3d9..0558e03 100644 --- a/public/class-h5p-plugin.php +++ b/public/class-h5p-plugin.php @@ -932,6 +932,20 @@ public function shortcode($atts) { return $this->add_assets($content); } + /** + * Get permission policy property. + * + * @return string Permission policy. + */ + public function get_http_feature_policy_property() { + // Set HTTP feature policy attribute + if ( defined( 'H5P_HTTP_FEATURE_POLICY' ) && H5P_HTTP_FEATURE_POLICY ) { + return 'allow="' . H5P_HTTP_FEATURE_POLICY . '"'; + } + + return 'allow="' . self::$h5p_http_feature_policy . '"'; + } + /** * Get settings for given content * @@ -976,13 +990,15 @@ public function get_content_settings($content) { : '' ); + $h5p_http_feature_policy = $this->get_http_feature_policy_property(); + // Add JavaScript settings for this content $settings = array( 'library' => H5PCore::libraryToString($content['library']), 'jsonContent' => $safe_parameters, 'fullScreen' => $content['library']['fullscreen'], 'exportUrl' => get_option('h5p_export', TRUE) ? $this->get_h5p_url() . '/exports/' . ($content['slug'] ? $content['slug'] . '-' : '') . $content['id'] . '.h5p' : '', - 'embedCode' => '', + 'embedCode' => '', 'resizeCode' => '', 'url' => admin_url('admin-ajax.php?action=h5p_embed&id=' . $content['id']), 'title' => $content['title'], @@ -1058,14 +1074,8 @@ public function add_assets($content, $no_cache = FALSE) { $h5p_content_wrapper = '
'; } else { - // Set HTTP feature policy attribute - if ( defined( 'H5P_HTTP_FEATURE_POLICY' ) && H5P_HTTP_FEATURE_POLICY ) { - $h5p_http_feature_policy = 'allow="' . H5P_HTTP_FEATURE_POLICY . '"'; - } - else { - $h5p_http_feature_policy = 'allow="' . self::$h5p_http_feature_policy . '"'; - } - + $h5p_http_feature_policy = $this->get_http_feature_policy_property(); + $title = isset($content['metadata']['a11yTitle']) ? $content['metadata']['a11yTitle'] : (isset($content['metadata']['title']) @@ -1073,7 +1083,7 @@ public function add_assets($content, $no_cache = FALSE) { : '' ); - $h5p_content_wrapper = '
'; + $h5p_content_wrapper = '
'; } return apply_filters('print_h5p_content', $h5p_content_wrapper, $content); From 3ee62946e9c7db408b9c465cf7ffb7134c831c16 Mon Sep 17 00:00:00 2001 From: kelvin Date: Wed, 11 May 2022 14:01:46 -0700 Subject: [PATCH 4/5] Make $h5p_http_feature_policy become an array that can be overridden by WordPress hooks. --- public/class-h5p-plugin.php | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/public/class-h5p-plugin.php b/public/class-h5p-plugin.php index 0558e03..13fe1e5 100644 --- a/public/class-h5p-plugin.php +++ b/public/class-h5p-plugin.php @@ -71,7 +71,17 @@ class H5P_Plugin { * * @var string */ - protected static $h5p_http_feature_policy = 'accelerometer *; autoplay *; camera *; clipboard-write *; fullscreen *; geolocation *; gyroscope *; magnetometer *; microphone *;'; + protected static $h5p_http_feature_policy = array( + 'accelerometer' => '*', + 'autoplay' => '*', + 'camera' => '*', + 'clipboard-write' => '*', + 'fullscreen' => '*', + 'geolocation' => '*', + 'gyroscope' => '*', + 'magnetometer' => '*', + 'microphone' => '*' + ); /** * Initialize the plugin by setting localization and loading public scripts @@ -939,11 +949,16 @@ public function shortcode($atts) { */ public function get_http_feature_policy_property() { // Set HTTP feature policy attribute - if ( defined( 'H5P_HTTP_FEATURE_POLICY' ) && H5P_HTTP_FEATURE_POLICY ) { - return 'allow="' . H5P_HTTP_FEATURE_POLICY . '"'; - } - - return 'allow="' . self::$h5p_http_feature_policy . '"'; + $h5p_http_feature_policy_list = apply_filters( 'h5p_h5p_http_feature_policy', defined( 'H5P_HTTP_FEATURE_POLICY' ) && H5P_HTTP_FEATURE_POLICY ? H5P_HTTP_FEATURE_POLICY : self::$h5p_http_feature_policy ); + + array_walk( + $h5p_http_feature_policy_list, + function( &$feature_policy_value, $feature_policy_name ) { + $feature_policy_value = $feature_policy_name . ' \'' . $feature_policy_value . '\''; + } + ); + + return 0 === count( $h5p_http_feature_policy_list ) ? '' : 'allow="' . implode( ';', $h5p_http_feature_policy_list ) . '"'; } /** From cdee4fd375d330962b783cd11e4022f677d9ea2c Mon Sep 17 00:00:00 2001 From: kelvin Date: Wed, 11 May 2022 14:02:37 -0700 Subject: [PATCH 5/5] Add type check just to be safe --- public/class-h5p-plugin.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/public/class-h5p-plugin.php b/public/class-h5p-plugin.php index 13fe1e5..bc60f03 100644 --- a/public/class-h5p-plugin.php +++ b/public/class-h5p-plugin.php @@ -957,8 +957,8 @@ function( &$feature_policy_value, $feature_policy_name ) { $feature_policy_value = $feature_policy_name . ' \'' . $feature_policy_value . '\''; } ); - - return 0 === count( $h5p_http_feature_policy_list ) ? '' : 'allow="' . implode( ';', $h5p_http_feature_policy_list ) . '"'; + + return is_array( $h5p_http_feature_policy_list ) && 0 === count( $h5p_http_feature_policy_list ) ? '' : 'allow="' . implode( ';', $h5p_http_feature_policy_list ) . '"'; } /**