From a47336365fc1bd8c671b2c490dc489ced06e3269 Mon Sep 17 00:00:00 2001
From: Emilien <4016501+unixfox@users.noreply.github.com>
Date: Sat, 14 Jun 2025 19:10:52 +0200
Subject: [PATCH] fix csp + progress proxy + allow omit public_url

---
 config/config.example.yml         |  8 ++++++++
 src/invidious/config.cr           | 11 +++++++++++
 src/invidious/routes/companion.cr | 23 +++++++++++++++++------
 src/invidious/routes/embed.cr     | 13 ++++++++-----
 src/invidious/routes/watch.cr     | 13 ++++++++-----
 src/invidious/routing.cr          |  1 +
 6 files changed, 53 insertions(+), 16 deletions(-)

diff --git a/config/config.example.yml b/config/config.example.yml
index d46fec89..6a2a71f8 100644
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -80,12 +80,20 @@ db:
 ## Both parameter can have identical URL when Invidious is hosted in
 ## an internal network or at home or locally (localhost).
 ##
+## NOTE: If public_url is omitted, Invidious will use its built-in proxy
+## to route companion requests through /companion, which is useful for
+## simple setups where companion runs on the same network. When using
+## the built-in proxy, CSP headers are not modified since requests
+## stay within the same domain.
+##
 ## Accepted values: "http(s)://<IP-HOSTNAME>:<Port>"
 ## Default: <none>
 ##
 #invidious_companion:
 #  - private_url: "http://localhost:8282/companion"
 #    public_url: "http://localhost:8282/companion"
+#  # Example with built-in proxy (omit public_url):
+#  # - private_url: "http://localhost:8282/companion"
 
 ##
 ## API key for Invidious companion, used for securing the communication
diff --git a/src/invidious/config.cr b/src/invidious/config.cr
index 4d69854c..e47e405c 100644
--- a/src/invidious/config.cr
+++ b/src/invidious/config.cr
@@ -82,6 +82,9 @@ class Config
 
     @[YAML::Field(converter: Preferences::URIConverter)]
     property public_url : URI = URI.parse("")
+
+    # Indicates if this companion instance uses the built-in proxy
+    property builtin_proxy : Bool = false
   end
 
   # Number of threads to use for crawling videos from channels (for updating subscriptions)
@@ -271,6 +274,14 @@ class Config
         puts "Config: The value of 'invidious_companion_key' needs to be a size of 16 characters."
         exit(1)
       end
+
+      # Set public_url to built-in proxy path when omitted
+      config.invidious_companion.each do |companion|
+        if companion.public_url.to_s.empty?
+          companion.public_url = URI.parse("/companion")
+          companion.builtin_proxy = true
+        end
+      end
     elsif config.signature_server
       puts("WARNING: inv-sig-helper is deprecated. Please switch to Invidious companion: https://docs.invidious.io/companion-installation/")
     else
diff --git a/src/invidious/routes/companion.cr b/src/invidious/routes/companion.cr
index cd7ed422..bcfbad6b 100644
--- a/src/invidious/routes/companion.cr
+++ b/src/invidious/routes/companion.cr
@@ -1,22 +1,33 @@
 module Invidious::Routes::Companion
   # /companion
   def self.get_companion(env)
-    url = env.request.path.lchop("/companion")
+    url = env.request.path
+    if env.request.query
+      url += "?#{env.request.query}"
+    end
 
     begin
-      COMPANION_POOL.client &.get(url, env.request.header) do |resp|
-        return self.proxy_companion(env, resp)
+      COMPANION_POOL.client do |wrapper|
+        puts env.request.headers
+        wrapper.client.get(url, env.request.headers) do |resp|
+          return self.proxy_companion(env, resp)
+        end
       end
     rescue ex
     end
   end
 
   def self.options_companion(env)
-    url = env.request.path.lchop("/companion")
+    url = env.request.path
+    if env.request.query
+      url += "?#{env.request.query}"
+    end
 
     begin
-      COMPANION_POOL.client &.options(url, env.request.header) do |resp|
-        return self.proxy_companion(env, resp)
+      COMPANION_POOL.client do |wrapper|
+        wrapper.client.options(url, env.request.headers) do |resp|
+          return self.proxy_companion(env, resp)
+        end
       end
     rescue ex
     end
diff --git a/src/invidious/routes/embed.cr b/src/invidious/routes/embed.cr
index 712295a3..53da7068 100644
--- a/src/invidious/routes/embed.cr
+++ b/src/invidious/routes/embed.cr
@@ -209,14 +209,17 @@ module Invidious::Routes::Embed
 
     if CONFIG.invidious_companion.present?
       invidious_companion = CONFIG.invidious_companion.sample
-      invidious_companion_urls = CONFIG.invidious_companion.map do |companion|
+      invidious_companion_urls = CONFIG.invidious_companion.reject(&.builtin_proxy).map do |companion|
         uri =
           "#{companion.public_url.scheme}://#{companion.public_url.host}#{companion.public_url.port ? ":#{companion.public_url.port}" : ""}"
       end.join(" ")
-      env.response.headers["Content-Security-Policy"] =
-        env.response.headers["Content-Security-Policy"]
-          .gsub("media-src", "media-src #{invidious_companion_urls}")
-          .gsub("connect-src", "connect-src #{invidious_companion_urls}")
+      
+      if !invidious_companion_urls.empty?
+        env.response.headers["Content-Security-Policy"] =
+          env.response.headers["Content-Security-Policy"]
+            .gsub("media-src", "media-src #{invidious_companion_urls}")
+            .gsub("connect-src", "connect-src #{invidious_companion_urls}")
+      end
     end
 
     rendered "embed"
diff --git a/src/invidious/routes/watch.cr b/src/invidious/routes/watch.cr
index a50a146d..83893457 100644
--- a/src/invidious/routes/watch.cr
+++ b/src/invidious/routes/watch.cr
@@ -194,14 +194,17 @@ module Invidious::Routes::Watch
 
     if CONFIG.invidious_companion.present?
       invidious_companion = CONFIG.invidious_companion.sample
-      invidious_companion_urls = CONFIG.invidious_companion.map do |companion|
+      invidious_companion_urls = CONFIG.invidious_companion.reject(&.builtin_proxy).map do |companion|
         uri =
           "#{companion.public_url.scheme}://#{companion.public_url.host}#{companion.public_url.port ? ":#{companion.public_url.port}" : ""}"
       end.join(" ")
-      env.response.headers["Content-Security-Policy"] =
-        env.response.headers["Content-Security-Policy"]
-          .gsub("media-src", "media-src #{invidious_companion_urls}")
-          .gsub("connect-src", "connect-src #{invidious_companion_urls}")
+      
+      if !invidious_companion_urls.empty?
+        env.response.headers["Content-Security-Policy"] =
+          env.response.headers["Content-Security-Policy"]
+            .gsub("media-src", "media-src #{invidious_companion_urls}")
+            .gsub("connect-src", "connect-src #{invidious_companion_urls}")
+      end
     end
 
     templated "watch"
diff --git a/src/invidious/routing.cr b/src/invidious/routing.cr
index b95ac706..a51bb4b6 100644
--- a/src/invidious/routing.cr
+++ b/src/invidious/routing.cr
@@ -46,6 +46,7 @@ module Invidious::Routing
     self.register_api_v1_routes
     self.register_api_manifest_routes
     self.register_video_playback_routes
+    self.register_companion_routes
   end
 
   # -------------------