diff options
| author | Omar Roth <omarroth@protonmail.com> | 2019-05-10 15:29:10 -0500 |
|---|---|---|
| committer | Omar Roth <omarroth@protonmail.com> | 2019-05-10 15:29:10 -0500 |
| commit | ddfd20d997b17dbccd69d6da617e294d73a091d1 (patch) | |
| tree | bddc79f1bf507c4786e66541c4b801be2a238044 | |
| parent | fd8af884938eb3f1c5abb1876aba50e0b4473821 (diff) | |
| download | invidious-ddfd20d997b17dbccd69d6da617e294d73a091d1.tar.gz invidious-ddfd20d997b17dbccd69d6da617e294d73a091d1.tar.bz2 invidious-ddfd20d997b17dbccd69d6da617e294d73a091d1.zip | |
Fix CSP for subdomains
| -rw-r--r-- | src/invidious.cr | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/invidious.cr b/src/invidious.cr index 25bd3672..eb1b5104 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -187,9 +187,10 @@ end proxies = PROXY_LIST before_all do |env| + host_url = make_host_url(config, Kemal.config) env.response.headers["X-XSS-Protection"] = "1; mode=block;" env.response.headers["X-Content-Type-Options"] = "nosniff" - env.response.headers["Content-Security-Policy"] = "default-src blob: data: 'self' 'unsafe-inline' 'unsafe-eval'; media-src blob: 'self' https://*.googlevideo.com:443" + env.response.headers["Content-Security-Policy"] = "default-src blob: data: 'self' #{host_url} 'unsafe-inline' 'unsafe-eval'; media-src blob: 'self' #{host_url} https://*.googlevideo.com:443" env.response.headers["Referrer-Policy"] = "same-origin" if Kemal.config.ssl || config.https_only |