From 401bc110d6a6231aa8e2c55bb03876825129b88d Mon Sep 17 00:00:00 2001 From: Fijxu Date: Thu, 8 May 2025 02:21:06 -0400 Subject: [PATCH 1/4] fix: set CSP header after setting preferences of registered users Fixes https://github.com/iv-org/invidious/issues/5142 add reason why extra_media_csp is after reading user preferences from the database and cookies set media-src after loading database user preferences --- src/invidious/routes/before_all.cr | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr index 5695dee9..0cc04021 100644 --- a/src/invidious/routes/before_all.cr +++ b/src/invidious/routes/before_all.cr @@ -20,14 +20,6 @@ module Invidious::Routes::BeforeAll env.response.headers["X-XSS-Protection"] = "1; mode=block" env.response.headers["X-Content-Type-Options"] = "nosniff" - # Allow media resources to be loaded from google servers - # TODO: check if *.youtube.com can be removed - if CONFIG.disabled?("local") || !preferences.local - extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443" - else - extra_media_csp = "" - end - # Only allow the pages at /embed/* to be embedded if env.request.resource.starts_with?("/embed") frame_ancestors = "'self' file: http: https:" @@ -45,7 +37,7 @@ module Invidious::Routes::BeforeAll "font-src 'self' data:", "connect-src 'self'", "manifest-src 'self'", - "media-src 'self' blob:" + extra_media_csp, + "media-src 'self' blob:", "child-src 'self' blob:", "frame-src 'self'", "frame-ancestors " + frame_ancestors, @@ -110,6 +102,20 @@ module Invidious::Routes::BeforeAll preferences.locale = locale env.set "preferences", preferences + # Allow media resources to be loaded from google servers + # TODO: check if *.youtube.com can be removed + # + # `!preferences.local` has to be checked after setting and + # reading `preferences` from the "PREFS" cookie and + # saved user preferences from the database, otherwise + # the `extra_media_csp` variable will be always empty if + # `default_user_preferences.local` is set to true on the + # configuration file, causing preference “Proxy Videos” + # not to work. + if CONFIG.disabled?("local") || !preferences.local + env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443") + end + current_page = env.request.path if env.request.query query = HTTP::Params.parse(env.request.query.not_nil!) From 1492453c6018c633e944f08b93ecf054599caa62 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Sat, 10 May 2025 16:30:19 -0400 Subject: [PATCH 2/4] update comment --- src/invidious/routes/before_all.cr | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr index 0cc04021..b5269668 100644 --- a/src/invidious/routes/before_all.cr +++ b/src/invidious/routes/before_all.cr @@ -108,10 +108,11 @@ module Invidious::Routes::BeforeAll # `!preferences.local` has to be checked after setting and # reading `preferences` from the "PREFS" cookie and # saved user preferences from the database, otherwise - # the `extra_media_csp` variable will be always empty if + # `https://*.googlevideo.com:443 https://*.youtube.com:443` + # will not be set in the CSP header if # `default_user_preferences.local` is set to true on the # configuration file, causing preference “Proxy Videos” - # not to work. + # not to work while having it disabled and using medium quality. if CONFIG.disabled?("local") || !preferences.local env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443") end From aab6ff4bb6e4d3174ab812e5a2cdeec841d2358e Mon Sep 17 00:00:00 2001 From: Fijxu Date: Sat, 10 May 2025 23:02:34 -0400 Subject: [PATCH 3/4] Update src/invidious/routes/before_all.cr Co-authored-by: syeopite <70992037+syeopite@users.noreply.github.com> --- src/invidious/routes/before_all.cr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr index b5269668..0c7bbdc2 100644 --- a/src/invidious/routes/before_all.cr +++ b/src/invidious/routes/before_all.cr @@ -114,7 +114,7 @@ module Invidious::Routes::BeforeAll # configuration file, causing preference “Proxy Videos” # not to work while having it disabled and using medium quality. if CONFIG.disabled?("local") || !preferences.local - env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443") + env.response.headers.update("Content-Security-Policy", &.gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443")) end current_page = env.request.path From 6fe21a7523c2c944ebc616e3573f50ee5fc6ce8f Mon Sep 17 00:00:00 2001 From: Fijxu Date: Sat, 10 May 2025 23:08:48 -0400 Subject: [PATCH 4/4] Revert "Update src/invidious/routes/before_all.cr" This reverts commit aab6ff4bb6e4d3174ab812e5a2cdeec841d2358e. --- src/invidious/routes/before_all.cr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr index 0c7bbdc2..b5269668 100644 --- a/src/invidious/routes/before_all.cr +++ b/src/invidious/routes/before_all.cr @@ -114,7 +114,7 @@ module Invidious::Routes::BeforeAll # configuration file, causing preference “Proxy Videos” # not to work while having it disabled and using medium quality. if CONFIG.disabled?("local") || !preferences.local - env.response.headers.update("Content-Security-Policy", &.gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443")) + env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443") end current_page = env.request.path