Migrate to a good Content Security Policy (#1023)

So attacks such as XSS (see [0]) will no longer be of an issue. [0]: https://github.com/omarroth/invidious/issues/1022
2026-03-02 04:09:58 +00:00 · 2020-03-16 06:46:08 +09:00
parent f92027c44b
commit 70cbe91776
29 changed files with 274 additions and 175 deletions
--- a/src/invidious/views/subscriptions.ecr
+++ b/src/invidious/views/subscriptions.ecr
@@ -45,9 +45,9 @@
    <hr>
 </div>

-<script>
-var watched_data = {
-    csrf_token: '<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>',
+<script id="watched_data" type="application/json">
+{
+    "csrf_token": "<%= URI.encode_www_form(env.get?("csrf_token").try &.as(String) || "") %>"
 }
 </script>
 <script src="/js/watched_widget.js"></script>