use Host header on img-src 'self' data: CSP

2025-06-28 01:48:26 +00:00 · 2025-04-02 20:44:33 -03:00 · 2025-04-02 20:44:33 -03:00 · 426e7bfbdb
commit 426e7bfbdb
parent 3d85519ec9
1 changed files with 2 additions and 1 deletions
--- a/src/invidious/routes/before_all.cr
+++ b/src/invidious/routes/before_all.cr
@ -76,11 +76,12 @@ module Invidious::Routes::BeforeAll

    # TODO: Remove style-src's 'unsafe-inline', requires to remove all
    # inline styles (<style> [..] </style>, style=" [..] ")
+    scheme = env.request.headers["X-Forwarded-Proto"]? || ("https" if CONFIG.https_only) || "http"
    env.response.headers["Content-Security-Policy"] = {
      "default-src 'none'",
      "script-src 'self'",
      "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data: " + HOST_URL,
+      "img-src 'self' data: " + "#{scheme}://#{env.request.headers["Host"]?}",
      "font-src 'self' data:",
      "connect-src 'self'" + extra_connect_csp,
      "manifest-src 'self'",