Migrate to a good Content Security Policy (#1023)

So attacks such as XSS (see [0]) will no longer be of an issue. [0]: https://github.com/omarroth/invidious/issues/1022
2025-12-28 18:41:19 +00:00 · 2020-03-16 06:46:08 +09:00
parent f92027c44b
commit 70cbe91776
29 changed files with 274 additions and 175 deletions
--- a/src/invidious/views/embed.ecr
+++ b/src/invidious/views/embed.ecr
@@ -10,32 +10,21 @@
    <script src="/js/videojs-overlay.min.js?v=<%= ASSET_COMMIT %>"></script>
    <link rel="stylesheet" href="/css/default.css?v=<%= ASSET_COMMIT %>">
    <link rel="stylesheet" href="/css/darktheme.css?v=<%= ASSET_COMMIT %>">
+    <link rel="stylesheet" href="/css/embed.css?v=<%= ASSET_COMMIT %>">
    <title><%= HTML.escape(video.title) %> - Invidious</title>
-    <style>
-    #player {
-        position: fixed;
-        right: 0;
-        bottom: 0;
-        min-width: 100%;
-        min-height: 100%;
-        width: auto;
-        height: auto;
-        z-index: -100;
-    }
-    </style>
 </head>

 <body>
-<script>
-var video_data = {
-    id: '<%= video.id %>',
-    index: '<%= continuation %>',
-    plid: '<%= plid %>',
-    length_seconds: '<%= video.length_seconds.to_f %>',
-    video_series: <%= video_series.to_json %>,
-    params: <%= params.to_json %>,
-    preferences: <%= preferences.to_json %>,
-    premiere_timestamp: <%= video.premiere_timestamp.try &.to_unix || "null" %>
+<script id="video_data" type="application/json">
+{
+    "id": "<%= video.id %>",
+    "index": "<%= continuation %>",
+    "plid": "<%= plid %>",
+    "length_seconds": "<%= video.length_seconds.to_f %>",
+    "video_series": <%= video_series.to_json %>,
+    "params": <%= params.to_json %>,
+    "preferences": <%= preferences.to_json %>,
+    "premiere_timestamp": <%= video.premiere_timestamp.try &.to_unix || "null" %>
 }
 </script>