From 006194fcdb0e9d8531d21366f6f2a35386624f3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20FAMIBELLE-PRONZOLA?= <c.pronzola@tuta.io>
Date: Mon, 29 Sep 2025 18:58:14 +0400
Subject: [PATCH] fix: add security exception to allow S3 media

---
 includes/config.default.php      |  4 ++++
 includes/config.local.php.sample |  5 +++++
 includes/security.php            | 29 +++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+)

diff --git a/includes/config.default.php b/includes/config.default.php
index ffc354c..8ffd862 100644
--- a/includes/config.default.php
+++ b/includes/config.default.php
@@ -48,6 +48,10 @@ if (!defined('MASTODON_BTN_RELOAD')) define('MASTODON_BTN_RELOAD', 'Rafraichir')
 if (!defined('MASTODON_MAX_POST_FETCH')) define('MASTODON_MAX_POST_FETCH', '10');
 if (!defined('MASTODON_MAX_POST_SHOW')) define('MASTODON_MAX_POST_SHOW', '10');
 
+// URL du stockage S3 pour les médias Mastodon (laissez vide pour désactiver)
+// Format: https://votre-bucket.s3.region.provider.com
+if (!defined('MASTODON_S3_MEDIA_URL')) define('MASTODON_S3_MEDIA_URL', 'https://s3.eu-central-003.backblazeb2.com');
+
 // Informations du site
 if (!defined('SITE_NAME')) define('SITE_NAME', 'kaubuntu.re');
 if (!defined('SITE_DESCRIPTION')) define('SITE_DESCRIPTION', 'Votre plateforme de médias libres');
diff --git a/includes/config.local.php.sample b/includes/config.local.php.sample
index 94ca9c2..53029c0 100644
--- a/includes/config.local.php.sample
+++ b/includes/config.local.php.sample
@@ -210,6 +210,11 @@ define('PRIORITY_CATEGORIES', [
 // Nombre maximum de posts à afficher
 // define('MASTODON_MAX_POST_SHOW', '10');
 
+// URL du stockage S3 pour les médias Mastodon (optionnel)
+// Format: https://votre-bucket.s3.region.provider.com
+// Laissez vide ou commentez pour désactiver
+// define('MASTODON_S3_MEDIA_URL', 'https://s3.eu-central-003.backblazeb2.com');
+
 // =========================================
 // Contact
 // =========================================
diff --git a/includes/security.php b/includes/security.php
index cba3e6a..216680a 100644
--- a/includes/security.php
+++ b/includes/security.php
@@ -247,6 +247,35 @@ function setSecurityHeaders() {
     }
     $csp .= "connect-src " . $connectSrc . "; ";
     
+    // Médias : toujours autoriser 'self', Mastodon et PeerTube
+    $mediaSrc = "'self'";
+
+    // Ajouter l'instance Mastodon (pour les médias stockés sur l'instance)
+    if ($mastodonDomain) {
+        $mediaSrc .= " " . $mastodonDomain;
+    }
+
+    // Ajouter PeerTube
+    if ($peertubeDomain) {
+        $mediaSrc .= " " . $peertubeDomain;
+    }
+
+    // Ajouter l'URL S3 Mastodon si configurée (pour les médias externalisés)
+    if (defined('MASTODON_S3_MEDIA_URL') && !empty(MASTODON_S3_MEDIA_URL)) {
+        $s3Parsed = parse_url(MASTODON_S3_MEDIA_URL);
+        if ($s3Parsed && isset($s3Parsed['host'])) {
+            $s3Domain = $s3Parsed['scheme'] . '://' . $s3Parsed['host'];
+            $mediaSrc .= " " . $s3Domain;
+        }
+    }
+
+    if ($isLocalDev) {
+        $mediaSrc .= " https: http:";
+    } else {
+        $mediaSrc .= " https:";
+    }
+    $csp .= "media-src " . $mediaSrc . "; ";
+
     $csp .= "object-src 'none'; ";
     $csp .= "base-uri 'self';";