diff options
| author | Samantaz Fox <coding@samantaz.fr> | 2021-06-17 19:45:20 +0200 |
|---|---|---|
| committer | Samantaz Fox <coding@samantaz.fr> | 2021-06-17 19:53:39 +0200 |
| commit | 42d9fd9c888d58f5597cf4d54a0628cb60aa9a7a (patch) | |
| tree | 786270a121926ed37957d0dbb76e953ed010c95b | |
| parent | 31466785adf3f1b57800b6dc5cf7ec9b79f31d14 (diff) | |
| download | invidious-42d9fd9c888d58f5597cf4d54a0628cb60aa9a7a.tar.gz invidious-42d9fd9c888d58f5597cf4d54a0628cb60aa9a7a.tar.bz2 invidious-42d9fd9c888d58f5597cf4d54a0628cb60aa9a7a.zip | |
Rewrite response headers
Fixes #2018 and #2153
| -rw-r--r-- | src/invidious.cr | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/src/invidious.cr b/src/invidious.cr index ebba52b1..fbd1a834 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -174,15 +174,44 @@ before_all do |env| env.set "preferences", preferences env.response.headers["X-XSS-Protection"] = "1; mode=block" env.response.headers["X-Content-Type-Options"] = "nosniff" - extra_media_csp = "" + + # Allow media ressources to be loaded from google servers + # TODO: check if *.youtube.com can be removed if CONFIG.disabled?("local") || !preferences.local - extra_media_csp += " https://*.googlevideo.com:443" - extra_media_csp += " https://*.youtube.com:443" + extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443" + else + extra_media_csp = "" end - # TODO: Remove style-src's 'unsafe-inline', requires to remove all inline styles (<style> [..] </style>, style=" [..] ") - env.response.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob:#{extra_media_csp}; child-src blob:" + + # Only allow the pages at /embed/* to be embedded + if env.request.resource.starts_with?("/embed") + frame_ancestors = "'self' http: https:" + else + frame_ancestors = "none" + end + + # TODO: Remove style-src's 'unsafe-inline', requires to remove all + # inline styles (<style> [..] </style>, style=" [..] ") + env.response.headers["Content-Security-Policy"] = { + "default-src 'none'", + "script-src 'self'", + "style-src 'self' 'unsafe-inline'", + "img-src 'self' data:", + "font-src 'self' data:", + "connect-src 'self'", + "manifest-src 'self'", + "media-src 'self' blob:" + extra_media_csp, + "child-src 'self' blob:", + "frame-src 'self'", + "frame-ancestors " + frame_ancestors, + }.join("; ") + env.response.headers["Referrer-Policy"] = "same-origin" + # Ask the chrom*-based browsers to disable FLoC + # See: https://blog.runcloud.io/google-floc/ + env.response.headers["Permissions-Policy"] = "interest-cohort=()" + if (Kemal.config.ssl || CONFIG.https_only) && CONFIG.hsts env.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload" end |