diff options
| author | syeopite <syeopite@syeopite.dev> | 2025-05-17 16:17:43 -0700 |
|---|---|---|
| committer | syeopite <syeopite@syeopite.dev> | 2025-05-17 16:17:43 -0700 |
| commit | 4b2f9ffffcf4c8a2cb27f78ec73aee01319788fb (patch) | |
| tree | 9ef4e5f5c23c6d9083036f88b0bbf9d19ed50d7c | |
| parent | 64ad97f308ab7991bd3f6c489584bfd2e3549013 (diff) | |
| parent | 6fe21a7523c2c944ebc616e3573f50ee5fc6ce8f (diff) | |
| download | invidious-4b2f9ffffcf4c8a2cb27f78ec73aee01319788fb.tar.gz invidious-4b2f9ffffcf4c8a2cb27f78ec73aee01319788fb.tar.bz2 invidious-4b2f9ffffcf4c8a2cb27f78ec73aee01319788fb.zip | |
fix: set CSP header after setting preferences of registered users (#5275)
| -rw-r--r-- | src/invidious/routes/before_all.cr | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr index 5695dee9..b5269668 100644 --- a/src/invidious/routes/before_all.cr +++ b/src/invidious/routes/before_all.cr @@ -20,14 +20,6 @@ module Invidious::Routes::BeforeAll env.response.headers["X-XSS-Protection"] = "1; mode=block" env.response.headers["X-Content-Type-Options"] = "nosniff" - # Allow media resources to be loaded from google servers - # TODO: check if *.youtube.com can be removed - if CONFIG.disabled?("local") || !preferences.local - extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443" - else - extra_media_csp = "" - end - # Only allow the pages at /embed/* to be embedded if env.request.resource.starts_with?("/embed") frame_ancestors = "'self' file: http: https:" @@ -45,7 +37,7 @@ module Invidious::Routes::BeforeAll "font-src 'self' data:", "connect-src 'self'", "manifest-src 'self'", - "media-src 'self' blob:" + extra_media_csp, + "media-src 'self' blob:", "child-src 'self' blob:", "frame-src 'self'", "frame-ancestors " + frame_ancestors, @@ -110,6 +102,21 @@ module Invidious::Routes::BeforeAll preferences.locale = locale env.set "preferences", preferences + # Allow media resources to be loaded from google servers + # TODO: check if *.youtube.com can be removed + # + # `!preferences.local` has to be checked after setting and + # reading `preferences` from the "PREFS" cookie and + # saved user preferences from the database, otherwise + # `https://*.googlevideo.com:443 https://*.youtube.com:443` + # will not be set in the CSP header if + # `default_user_preferences.local` is set to true on the + # configuration file, causing preference “Proxy Videos” + # not to work while having it disabled and using medium quality. + if CONFIG.disabled?("local") || !preferences.local + env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443") + end + current_page = env.request.path if env.request.query query = HTTP::Params.parse(env.request.query.not_nil!) |