From f90b09269268cd2f15d4da3f2517f892cba76c62 Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Wed, 21 May 2025 17:03:04 -0400
Subject: [PATCH] restore missing extra_media_csp on CSP header

---
 src/invidious/routes/before_all.cr | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr
index 18fc4b71..fc6ed5e5 100644
--- a/src/invidious/routes/before_all.cr
+++ b/src/invidious/routes/before_all.cr
@@ -77,12 +77,6 @@ module Invidious::Routes::BeforeAll
       extra_media_csp, extra_connect_csp = BackendInfo.get_csp(env.get("current_companion").as(Int32))
     end
 
-    # Allow media resources to be loaded from google servers
-    # TODO: check if *.youtube.com can be removed
-    if CONFIG.disabled?("local") || !preferences.local
-      extra_media_csp += " https://*.googlevideo.com:443 https://*.youtube.com:443"
-    end
-
     # Only allow the pages at /embed/* to be embedded
     if env.request.resource.starts_with?("/embed")
       frame_ancestors = "'self' file: http: https:"
@@ -103,7 +97,7 @@ module Invidious::Routes::BeforeAll
       "font-src 'self' data:",
       "connect-src 'self'" + extra_connect_csp,
       "manifest-src 'self'",
-      "media-src 'self' blob:",
+      "media-src 'self' blob:" + extra_media_csp,
       "child-src 'self' blob:",
       "frame-src 'self'",
       "frame-ancestors " + frame_ancestors,