Add Origin header checks

author: Omar Roth <omarroth@hotmail.com> 2018-11-07 23:05:50 -0600
committer: Omar Roth <omarroth@hotmail.com> 2018-11-07 23:05:50 -0600
commit: 2be240767c65a17e563fc80a389ac4e568c47d41 (patch)
tree: ac12792dd78510cee941f54574ee001fc7c54a61 /src
parent: 103949c61e45df74d4d024082af872a325615602 (diff)
download: invidious-2be240767c65a17e563fc80a389ac4e568c47d41.tar.gz
invidious-2be240767c65a17e563fc80a389ac4e568c47d41.tar.bz2
invidious-2be240767c65a17e563fc80a389ac4e568c47d41.zip
2 files changed, 10 insertions, 0 deletions
diff --git a/src/invidious.cr b/src/invidious.cr
index 3c251d96..d8c7301e 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -128,6 +128,15 @@ if CONFIG.geo_bypass
 end
 
 before_all do |env|
+  if CONFIG.domains && env.request.headers["Origin"]?
+    origin = env.request.headers["Origin"]
+    domains = CONFIG.domains.not_nil!
+
+    if !domains.includes? origin
+      halt env, status_code: 403
+    end
+  end
+
   env.response.headers["X-XSS-Protection"] = "1; mode=block;"
   env.response.headers["X-Content-Type-Options"] = "nosniff"
 
diff --git a/src/invidious/helpers/helpers.cr b/src/invidious/helpers/helpers.cr
index 92a2e1b1..98357440 100644
--- a/src/invidious/helpers/helpers.cr
+++ b/src/invidious/helpers/helpers.cr
@@ -16,6 +16,7 @@ class Config
     hmac_key:     String?,
     full_refresh: Bool,
     geo_bypass:   Bool,
+    domains:      Array(String)?,
   })
 end
author	Omar Roth <omarroth@hotmail.com>	2018-11-07 23:05:50 -0600
committer	Omar Roth <omarroth@hotmail.com>	2018-11-07 23:05:50 -0600
commit	2be240767c65a17e563fc80a389ac4e568c47d41 (patch)
tree	ac12792dd78510cee941f54574ee001fc7c54a61 /src
parent	103949c61e45df74d4d024082af872a325615602 (diff)
download	invidious-2be240767c65a17e563fc80a389ac4e568c47d41.tar.gz invidious-2be240767c65a17e563fc80a389ac4e568c47d41.tar.bz2 invidious-2be240767c65a17e563fc80a389ac4e568c47d41.zip