Mirrored_Repos/invidious
1
0
Fork 0
mirror of https://github.com/iv-org/invidious.git synced 2025-05-19 13:01:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: set CSP header after setting preferences of registered users

Browse Source 
Fixes https://github.com/iv-org/invidious/issues/5142

add reason why extra_media_csp is after reading user preferences from the database and cookies

set media-src after loading database user preferences
This commit is contained in:
Fijxu 2025-05-08 02:21:06 -04:00
parent d1bc15b8bf
commit 401bc110d6
No known key found for this signature in database
GPG Key ID: 32C1DDF333EDA6A4
1 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/invidious/routes/before_all.cr
View File

@ -20,14 +20,6 @@ module Invidious::Routes::BeforeAll
env.response.headers["X-XSS-Protection"] = "1; mode=block" env.response.headers["X-XSS-Protection"] = "1; mode=block"
env.response.headers["X-Content-Type-Options"] = "nosniff" env.response.headers["X-Content-Type-Options"] = "nosniff"
# Allow media resources to be loaded from google servers
# TODO: check if *.youtube.com can be removed
if CONFIG.disabled?("local") || !preferences.local
extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443"
else
extra_media_csp = ""
end
# Only allow the pages at /embed/* to be embedded # Only allow the pages at /embed/* to be embedded
if env.request.resource.starts_with?("/embed") if env.request.resource.starts_with?("/embed")
frame_ancestors = "'self' file: http: https:" frame_ancestors = "'self' file: http: https:"
@ -45,7 +37,7 @@ module Invidious::Routes::BeforeAll
"font-src 'self' data:", "font-src 'self' data:",
"connect-src 'self'", "connect-src 'self'",
"manifest-src 'self'", "manifest-src 'self'",
"media-src 'self' blob:" + extra_media_csp, "media-src 'self' blob:",
"child-src 'self' blob:", "child-src 'self' blob:",
"frame-src 'self'", "frame-src 'self'",
"frame-ancestors " + frame_ancestors, "frame-ancestors " + frame_ancestors,
@ -110,6 +102,20 @@ module Invidious::Routes::BeforeAll
preferences.locale = locale preferences.locale = locale
env.set "preferences", preferences env.set "preferences", preferences
# Allow media resources to be loaded from google servers
# TODO: check if *.youtube.com can be removed
#
# `!preferences.local` has to be checked after setting and
# reading `preferences` from the "PREFS" cookie and
# saved user preferences from the database, otherwise
# the `extra_media_csp` variable will be always empty if
# `default_user_preferences.local` is set to true on the
# configuration file, causing preference “Proxy Videos”
# not to work.
if CONFIG.disabled?("local") || !preferences.local
env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443")
end
current_page = env.request.path current_page = env.request.path
if env.request.query if env.request.query
query = HTTP::Params.parse(env.request.query.not_nil!) query = HTTP::Params.parse(env.request.query.not_nil!)