From 426e7bfbdb7349f95b6f1b6e7116e287c02bcef3 Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Wed, 2 Apr 2025 20:44:33 -0300
Subject: [PATCH] use Host header on `img-src 'self' data:` CSP

---
 src/invidious/routes/before_all.cr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr
index 2d5f1da3..6c45bc1e 100644
--- a/src/invidious/routes/before_all.cr
+++ b/src/invidious/routes/before_all.cr
@@ -76,11 +76,12 @@ module Invidious::Routes::BeforeAll
 
     # TODO: Remove style-src's 'unsafe-inline', requires to remove all
     # inline styles (<style> [..] </style>, style=" [..] ")
+    scheme = env.request.headers["X-Forwarded-Proto"]? || ("https" if CONFIG.https_only) || "http"
     env.response.headers["Content-Security-Policy"] = {
       "default-src 'none'",
       "script-src 'self'",
       "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data: " + HOST_URL,
+      "img-src 'self' data: " + "#{scheme}://#{env.request.headers["Host"]?}",
       "font-src 'self' data:",
       "connect-src 'self'" + extra_connect_csp,
       "manifest-src 'self'",