diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr index 5695dee9..0cc04021 100644 --- a/src/invidious/routes/before_all.cr +++ b/src/invidious/routes/before_all.cr @@ -20,14 +20,6 @@ module Invidious::Routes::BeforeAll env.response.headers["X-XSS-Protection"] = "1; mode=block" env.response.headers["X-Content-Type-Options"] = "nosniff" - # Allow media resources to be loaded from google servers - # TODO: check if *.youtube.com can be removed - if CONFIG.disabled?("local") || !preferences.local - extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443" - else - extra_media_csp = "" - end - # Only allow the pages at /embed/* to be embedded if env.request.resource.starts_with?("/embed") frame_ancestors = "'self' file: http: https:" @@ -45,7 +37,7 @@ module Invidious::Routes::BeforeAll "font-src 'self' data:", "connect-src 'self'", "manifest-src 'self'", - "media-src 'self' blob:" + extra_media_csp, + "media-src 'self' blob:", "child-src 'self' blob:", "frame-src 'self'", "frame-ancestors " + frame_ancestors, @@ -110,6 +102,20 @@ module Invidious::Routes::BeforeAll preferences.locale = locale env.set "preferences", preferences + # Allow media resources to be loaded from google servers + # TODO: check if *.youtube.com can be removed + # + # `!preferences.local` has to be checked after setting and + # reading `preferences` from the "PREFS" cookie and + # saved user preferences from the database, otherwise + # the `extra_media_csp` variable will be always empty if + # `default_user_preferences.local` is set to true on the + # configuration file, causing preference “Proxy Videos” + # not to work. + if CONFIG.disabled?("local") || !preferences.local + env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443") + end + current_page = env.request.path if env.request.query query = HTTP::Params.parse(env.request.query.not_nil!)