mirrors/nadeko_invidious
1
0
Fork 0
mirror of https://git.nadeko.net/Fijxu/invidious.git synced 2025-06-28 01:48:26 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

use Host header on img-src 'self' data: CSP

Browse Source
This commit is contained in:
Fijxu 2025-04-02 20:44:33 -03:00
parent 3d85519ec9
commit 426e7bfbdb
No known key found for this signature in database
GPG Key ID: 32C1DDF333EDA6A4
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/invidious/routes/before_all.cr
View File

@ -76,11 +76,12 @@ module Invidious::Routes::BeforeAll
# TODO: Remove style-src's 'unsafe-inline', requires to remove all # TODO: Remove style-src's 'unsafe-inline', requires to remove all
# inline styles (<style> [..] </style>, style=" [..] ") # inline styles (<style> [..] </style>, style=" [..] ")
scheme = env.request.headers["X-Forwarded-Proto"]? || ("https" if CONFIG.https_only) || "http"
env.response.headers["Content-Security-Policy"] = { env.response.headers["Content-Security-Policy"] = {
"default-src 'none'", "default-src 'none'",
"script-src 'self'", "script-src 'self'",
"style-src 'self' 'unsafe-inline'", "style-src 'self' 'unsafe-inline'",
"img-src 'self' data: " + HOST_URL, "img-src 'self' data: " + "#{scheme}://#{env.request.headers["Host"]?}",
"font-src 'self' data:", "font-src 'self' data:",
"connect-src 'self'" + extra_connect_csp, "connect-src 'self'" + extra_connect_csp,
"manifest-src 'self'", "manifest-src 'self'",