From 06048ee26f34f458013223e702142cb4ec9a945e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sascha=20I=C3=9Fbr=C3=BCcker?=
 <sascha.issbruecker@googlemail.com>
Date: Sat, 3 Jan 2026 16:33:49 +0100
Subject: [PATCH] Allow viewing video assets (#1259)

---
 bookmarks/tests/test_bookmark_asset_view.py | 18 ++++++++++++++++--
 bookmarks/views/assets.py                   |  5 ++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/bookmarks/tests/test_bookmark_asset_view.py b/bookmarks/tests/test_bookmark_asset_view.py
index f65937d..bca1aee 100644
--- a/bookmarks/tests/test_bookmark_asset_view.py
+++ b/bookmarks/tests/test_bookmark_asset_view.py
@@ -27,14 +27,14 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
         )
         return asset
 
-    def setup_asset_with_uploaded_file(self, bookmark):
+    def setup_asset_with_uploaded_file(self, bookmark, content_type="image/png"):
         filename = f"temp_{bookmark.id}.png.gzip"
         self.setup_asset_file(filename)
         asset = self.setup_asset(
             bookmark=bookmark,
             file=filename,
             asset_type=BookmarkAsset.TYPE_UPLOAD,
-            content_type="image/png",
+            content_type=content_type,
             display_name=f"Uploaded file {bookmark.id}.png",
         )
         return asset
@@ -164,3 +164,17 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
             f'inline; filename="{asset.display_name}"',
         )
         self.assertEqual(response["Content-Security-Policy"], "sandbox allow-scripts")
+
+    def test_uploaded_video_download_headers(self):
+        bookmark = self.setup_bookmark()
+        asset = self.setup_asset_with_uploaded_file(bookmark, content_type="video/mp4")
+        response = self.client.get(reverse("linkding:assets.view", args=[asset.id]))
+
+        self.assertEqual(response["Content-Type"], asset.content_type)
+        self.assertEqual(
+            response["Content-Disposition"],
+            f'inline; filename="{asset.display_name}"',
+        )
+        self.assertEqual(
+            response["Content-Security-Policy"], "default-src 'none'; media-src 'self';"
+        )
diff --git a/bookmarks/views/assets.py b/bookmarks/views/assets.py
index 89ff1c6..688ec05 100644
--- a/bookmarks/views/assets.py
+++ b/bookmarks/views/assets.py
@@ -33,7 +33,10 @@ def view(request, asset_id: int):
 
     response = HttpResponse(content, content_type=asset.content_type)
     response["Content-Disposition"] = f'inline; filename="{asset.download_name}"'
-    response["Content-Security-Policy"] = "sandbox allow-scripts"
+    if asset.content_type and asset.content_type.startswith("video/"):
+        response["Content-Security-Policy"] = "default-src 'none'; media-src 'self';"
+    else:
+        response["Content-Security-Policy"] = "sandbox allow-scripts"
     return response