diff options
| author | Fijxu <fijxu@nadeko.net> | 2025-05-08 02:21:06 -0400 |
|---|---|---|
| committer | Fijxu <fijxu@nadeko.net> | 2025-05-10 13:26:30 -0400 |
| commit | 401bc110d6a6231aa8e2c55bb03876825129b88d (patch) | |
| tree | 00f260421cef88dd6a6641f10e559aae861df4cf /src | |
| parent | d1bc15b8bffe7afad6000208dfe2cbd5601b4786 (diff) | |
| download | invidious-401bc110d6a6231aa8e2c55bb03876825129b88d.tar.gz invidious-401bc110d6a6231aa8e2c55bb03876825129b88d.tar.bz2 invidious-401bc110d6a6231aa8e2c55bb03876825129b88d.zip | |
fix: set CSP header after setting preferences of registered users
Fixes https://github.com/iv-org/invidious/issues/5142
add reason why extra_media_csp is after reading user preferences from the database and cookies
set media-src after loading database user preferences
Diffstat (limited to 'src')
| -rw-r--r-- | src/invidious/routes/before_all.cr | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr index 5695dee9..0cc04021 100644 --- a/src/invidious/routes/before_all.cr +++ b/src/invidious/routes/before_all.cr @@ -20,14 +20,6 @@ module Invidious::Routes::BeforeAll env.response.headers["X-XSS-Protection"] = "1; mode=block" env.response.headers["X-Content-Type-Options"] = "nosniff" - # Allow media resources to be loaded from google servers - # TODO: check if *.youtube.com can be removed - if CONFIG.disabled?("local") || !preferences.local - extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443" - else - extra_media_csp = "" - end - # Only allow the pages at /embed/* to be embedded if env.request.resource.starts_with?("/embed") frame_ancestors = "'self' file: http: https:" @@ -45,7 +37,7 @@ module Invidious::Routes::BeforeAll "font-src 'self' data:", "connect-src 'self'", "manifest-src 'self'", - "media-src 'self' blob:" + extra_media_csp, + "media-src 'self' blob:", "child-src 'self' blob:", "frame-src 'self'", "frame-ancestors " + frame_ancestors, @@ -110,6 +102,20 @@ module Invidious::Routes::BeforeAll preferences.locale = locale env.set "preferences", preferences + # Allow media resources to be loaded from google servers + # TODO: check if *.youtube.com can be removed + # + # `!preferences.local` has to be checked after setting and + # reading `preferences` from the "PREFS" cookie and + # saved user preferences from the database, otherwise + # the `extra_media_csp` variable will be always empty if + # `default_user_preferences.local` is set to true on the + # configuration file, causing preference “Proxy Videos” + # not to work. + if CONFIG.disabled?("local") || !preferences.local + env.response.headers["Content-Security-Policy"] = env.response.headers["Content-Security-Policy"].gsub("media-src", "media-src https://*.googlevideo.com:443 https://*.youtube.com:443") + end + current_page = env.request.path if env.request.query query = HTTP::Params.parse(env.request.query.not_nil!) |