From 13c2a4886f60fba8c92ee8e002c7244887a21677 Mon Sep 17 00:00:00 2001
From: Martin Brennan <mjrbrennan@gmail.com>
Date: Thu, 25 Feb 2021 12:39:15 +1000
Subject: [PATCH] FEATURE: Add disable_onebox_media_download_controls hidden
 site setting (#12208)

Uses discourse/onebox@ff9ec90

Adds a hidden site setting called disable_onebox_media_download_controls which will add controlslist="nodownload" to video and audio oneboxes, and also to the local video and audio oneboxes within Discourse.
---
 config/site_settings.yml                       |  3 +++
 lib/onebox/discourse_onebox_sanitize_config.rb | 11 ++++++++---
 lib/oneboxer.rb                                | 12 ++++++++++--
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/config/site_settings.yml b/config/site_settings.yml
index 3f010aa72ce..faba7b8a3f5 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -1591,6 +1591,9 @@ security:
   send_old_credential_reminder_days:
     default: 0
     hidden: true
+  disable_onebox_media_download_controls:
+    default: false
+    hidden: true
 
 onebox:
   enable_flash_video_onebox: false
diff --git a/lib/onebox/discourse_onebox_sanitize_config.rb b/lib/onebox/discourse_onebox_sanitize_config.rb
index 93902fa347b..b9ab7ae64cb 100644
--- a/lib/onebox/discourse_onebox_sanitize_config.rb
+++ b/lib/onebox/discourse_onebox_sanitize_config.rb
@@ -5,9 +5,14 @@ module Onebox
     module Config
       DISCOURSE_ONEBOX ||=
         Sanitize::Config.freeze_config(
-          Sanitize::Config.merge(Sanitize::Config::ONEBOX,
-                                 attributes: Sanitize::Config.merge(Sanitize::Config::ONEBOX[:attributes],
-                                                                    'aside' => [:data])))
+          Sanitize::Config.merge(
+            Sanitize::Config::ONEBOX,
+            attributes: Sanitize::Config.merge(
+              Sanitize::Config::ONEBOX[:attributes],
+              'aside' => [:data]
+            )
+          )
+        )
     end
   end
 end
diff --git a/lib/oneboxer.rb b/lib/oneboxer.rb
index eecc2a38d0b..edb47930f4f 100644
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@@ -221,18 +221,25 @@ module Oneboxer
   end
 
   def self.local_upload_html(url)
+    additional_controls = \
+      if SiteSetting.disable_onebox_media_download_controls
+        "controlslist='nodownload'"
+      else
+        ""
+      end
+
     case File.extname(URI(url).path || "")
     when VIDEO_REGEX
       <<~HTML
         <div class="onebox video-onebox">
-          <video width="100%" height="100%" controls="">
+          <video #{additional_controls} width="100%" height="100%" controls="">
             <source src='#{url}'>
             <a href='#{url}'>#{url}</a>
           </video>
         </div>
       HTML
     when AUDIO_REGEX
-      "<audio controls><source src='#{url}'><a href='#{url}'>#{url}</a></audio>"
+      "<audio #{additional_controls} controls><source src='#{url}'><a href='#{url}'>#{url}</a></audio>"
     end
   end
 
@@ -385,6 +392,7 @@ module Oneboxer
         allowed_iframe_origins: allowed_iframe_origins,
         hostname: GlobalSetting.hostname,
         facebook_app_access_token: SiteSetting.facebook_app_access_token,
+        disable_media_download_controls: SiteSetting.disable_onebox_media_download_controls
       }
 
       options[:cookie] = fd.cookie if fd.cookie