Mirrored_Repos/invidious
1
0
Fork 0
mirror of https://github.com/iv-org/invidious.git synced 2025-05-19 04:51:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: set CSP header after setting preferences of registered users (#5275)

Browse Source
This commit is contained in:
syeopite 2025-05-17 16:17:43 -07:00
commit 4b2f9ffffc
No known key found for this signature in database
GPG Key ID: A73C186DA3955A1A
1 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/invidious/routes/before_all.cr
View File

@ -20,14 +20,6 @@ module Invidious::Routes::BeforeAll
env.response.headers["X-XSS-Protection"] = "1; mode=block" env.response.headers["X-XSS-Protection"] = "1; mode=block"
env.response.headers["X-Content-Type-Options"] = "nosniff" env.response.headers["X-Content-Type-Options"] = "nosniff"
# Allow media resources to be loaded from google servers
# TODO: check if *.youtube.com can be removed
if CONFIG.disabled?("local") || !preferences.local
extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443"
else
extra_media_csp = ""
end
# Only allow the pages at /embed/* to be embedded # Only allow the pages at /embed/* to be embedded
if env.request.resource.starts_with?("/embed") if env.request.resource.starts_with?("/embed")
frame_ancestors = "'self' file: http: https:" frame_ancestors = "'self' file: http: https:"
@ -45,7 +37,7 @@ module Invidious::Routes::BeforeAll
"font-src 'self' data:", "font-src 'self' data:",
"connect-src 'self'", "connect-src 'self'",
"manifest-src 'self'", "manifest-src 'self'",
"media-src 'self' blob:" + extra_media_csp, "media-src 'self' blob:",
"child-src 'self' blob:", "child-src 'self' blob:",
"frame-src 'self'", "frame-src 'self'",
"frame-ancestors " + frame_ancestors, "frame-ancestors " + frame_ancestors,
@ -110,6 +102,21 @@ module Invidious::Routes::BeforeAll
preferences.locale = locale preferences.locale = locale
env.set "preferences", preferences env.set "preferences", preferences
# Allow media resources to be loaded from google servers
# TODO: check if *.youtube.com can be removed
#
# `!preferences.local` has to be checked after setting and
# reading `preferences` from the "PREFS" cookie and
# saved user preferences from the database, otherwise
# `https://*.googlevideo.com:443 https://*.youtube.com:443`
# will not be set in the CSP header if
# `default_user_preferences.local` is set to true on the
# configuration file, causing preference “Proxy Videos”
# not to work while having it disabled and using medium quality.
if CONFIG.disabled?("local") || !preferences.local
env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443")
end
current_page = env.request.path current_page = env.request.path
if env.request.query if env.request.query
query = HTTP::Params.parse(env.request.query.not_nil!) query = HTTP::Params.parse(env.request.query.not_nil!)