Migrate to a good Content Security Policy (#1023)

So attacks such as XSS (see [0]) will no longer be of an issue. [0]: https://github.com/omarroth/invidious/issues/1022
2025-12-21 10:28:50 +00:00 · 2020-03-16 06:46:08 +09:00
parent f92027c44b
commit 70cbe91776
29 changed files with 274 additions and 175 deletions
--- a/src/invidious/views/components/item.ecr
+++ b/src/invidious/views/components/item.ecr
@@ -57,10 +57,10 @@
                    <div class="thumbnail">
                        <img class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/>
                        <% if plid = env.get?("remove_playlist_items") %>
-                            <form onsubmit="return false" action="/playlist_ajax?action_remove_video=1&set_video_id=<%= item.index %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post">
+                            <form data-onsubmit="return_false" action="/playlist_ajax?action_remove_video=1&set_video_id=<%= item.index %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post">
                                <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>">
                                <p class="watched">
-                                    <a onclick="remove_playlist_item(this)" data-index="<%= item.index %>" data-plid="<%= plid %>" href="javascript:void(0)">
+                                    <a data-onclick="remove_playlist_item" data-index="<%= item.index %>" data-plid="<%= plid %>" href="javascript:void(0)">
                                        <button type="submit" style="all:unset">
                                            <i class="icon ion-md-trash"></i>
                                        </button>
@@ -103,13 +103,12 @@
                    <div class="thumbnail">
                        <img class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/>
                        <% if env.get? "show_watched" %>
-                            <form onsubmit="return false" action="/watch_ajax?action_mark_watched=1&id=<%= item.id %>&referer=<%= env.get("current_page") %>" method="post">
+                            <form data-onsubmit="return_false" action="/watch_ajax?action_mark_watched=1&id=<%= item.id %>&referer=<%= env.get("current_page") %>" method="post">
                                <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>">
                                <p class="watched">
-                                    <a onclick="mark_watched(this)" data-id="<%= item.id %>" href="javascript:void(0)">
+                                    <a data-onclick="mark_watched" data-id="<%= item.id %>" href="javascript:void(0)">
                                        <button type="submit" style="all:unset">
-                                            <i onmouseenter='this.setAttribute("class", "icon ion-ios-eye-off")'
-                                                onmouseleave='this.setAttribute("class", "icon ion-ios-eye")'
+                                            <i data-mouse="switch_classes" data-switch-classes="ion-ios-eye-off,ion-ios-eye"
                                                class="icon ion-ios-eye">
                                            </i>
                                        </button>
@@ -117,10 +116,10 @@
                                </p>
                            </form>
                        <% elsif plid = env.get? "add_playlist_items" %>
-                            <form onsubmit="return false" action="/playlist_ajax?action_add_video=1&video_id=<%= item.id %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post">
+                            <form data-onsubmit="return_false" action="/playlist_ajax?action_add_video=1&video_id=<%= item.id %>&playlist_id=<%= plid %>&referer=<%= env.get("current_page") %>" method="post">
                                <input type="hidden" name="csrf_token" value="<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>">
                                <p class="watched">
-                                    <a onclick="add_playlist_item(this)" data-id="<%= item.id %>" data-plid="<%= plid %>" href="javascript:void(0)">
+                                    <a data-onclick="add_playlist_item" data-id="<%= item.id %>" data-plid="<%= plid %>" href="javascript:void(0)">
                                        <button type="submit" style="all:unset">
                                            <i class="icon ion-md-add"></i>
                                        </button>
--- a/src/invidious/views/components/player.ecr
+++ b/src/invidious/views/components/player.ecr
@@ -1,8 +1,5 @@
 <video style="outline:none;width:100%;background-color:#000" playsinline poster="<%= thumbnail %>" title="<%= HTML.escape(video.title) %>"
-    id="player" class="video-js player-style-<%= params.player_style %>"
-    onmouseenter='this["data-title"]=this["title"];this["title"]=""'
-    onmouseleave='this["title"]=this["data-title"];this["data-title"]=""'
-    oncontextmenu='this["title"]=this["data-title"]'
+    id="player" class="on-video_player video-js player-style-<%= params.player_style %>"
    <% if params.autoplay %>autoplay<% end %>
    <% if params.video_loop %>loop<% end %>
    <% if params.controls %>controls<% end %>>
@@ -39,12 +36,12 @@
    <% end %>
 </video>

-<script>
-var player_data = {
-    aspect_ratio: '<%= aspect_ratio %>',
-    title: "<%= video.title.dump_unquoted %>",
-    description: "<%= HTML.escape(video.short_description) %>",
-    thumbnail: "<%= thumbnail %>"
+<script id="player_data" type="application/json">
+{
+    "aspect_ratio": "<%= aspect_ratio %>",
+    "title": "<%= video.title.dump_unquoted %>",
+    "description": "<%= HTML.escape(video.short_description) %>",
+    "thumbnail": "<%= thumbnail %>"
 }
 </script>
 <script src="/js/player.js?v=<%= ASSET_COMMIT %>"></script>
--- a/src/invidious/views/components/player_sources.ecr
+++ b/src/invidious/views/components/player_sources.ecr
@@ -3,6 +3,7 @@
 <link rel="stylesheet" href="/css/videojs.markers.min.css?v=<%= ASSET_COMMIT %>">
 <link rel="stylesheet" href="/css/videojs-share.css?v=<%= ASSET_COMMIT %>">
 <link rel="stylesheet" href="/css/videojs-vtt-thumbnails.css?v=<%= ASSET_COMMIT %>">
+<script src="/js/global.js?v=<%= ASSET_COMMIT %>"></script>
 <script src="/js/video.min.js?v=<%= ASSET_COMMIT %>"></script>
 <script src="/js/videojs-contrib-quality-levels.min.js?v=<%= ASSET_COMMIT %>"></script>
 <script src="/js/videojs-http-source-selector.min.js?v=<%= ASSET_COMMIT %>"></script>
--- a/src/invidious/views/components/subscribe_widget.ecr
+++ b/src/invidious/views/components/subscribe_widget.ecr
@@ -19,14 +19,14 @@
        </p>
    <% end %>

-    <script>
-    var subscribe_data = {
-        ucid: '<%= ucid %>',
-        author: '<%= HTML.escape(author) %>',
-        sub_count_text: '<%= HTML.escape(sub_count_text) %>',
-        csrf_token: '<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>',
-        subscribe_text: '<%= HTML.escape(translate(locale, "Subscribe")) %>',
-        unsubscribe_text: '<%= HTML.escape(translate(locale, "Unsubscribe")) %>'
+    <script id="subscribe_data" type="application/json">
+    {
+        "ucid": "<%= ucid %>",
+        "author": "<%= HTML.escape(author) %>",
+        "sub_count_text": "<%= HTML.escape(sub_count_text) %>",
+        "csrf_token": "<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>",
+        "subscribe_text": "<%= HTML.escape(translate(locale, "Subscribe")) %>",
+        "unsubscribe_text": "<%= HTML.escape(translate(locale, "Unsubscribe")) %>"
    }
    </script>
    <script src="/js/subscribe_widget.js?v=<%= ASSET_COMMIT %>"></script>