From d405a5f086e1098a30db4eb3089a838e0fcf84de Mon Sep 17 00:00:00 2001
From: ansuz <git@ansuz.xyz>
Date: Tue, 15 Mar 2022 15:29:18 +0530
Subject: [PATCH] disable remote embedding by default

---
 lib/env.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/env.js b/lib/env.js
index 4262e3fbf..64280193b 100644
--- a/lib/env.js
+++ b/lib/env.js
@@ -153,6 +153,9 @@ module.exports.create = function (config) {
             }
         },
 
+        // as of 4.14.0 you need to opt-in to remote embedding.
+        disableEmbedding: true,
+
 /*  FIXME restrictRegistration is initialized as false and then overridden by admin decree
     There is a narrow window in which someone could register before the server updates this value.
     See also the cached 'restrictRegistration' value in server.js#serveConfig