From 13e69dba806ac0efc18cc51b387828b8f2063a80 Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Mon, 30 Dec 2024 19:40:26 -0300
Subject: [PATCH] refactor CSP and fix non proxied videoplayback due to CSP

Probably fixes https://git.nadeko.net/Fijxu/invidious/issues/65
---
 src/invidious.cr                   |  1 -
 src/invidious/config.cr            |  2 +-
 src/invidious/helpers/utils.cr     |  2 +-
 src/invidious/http_server/utils.cr |  8 ++++----
 src/invidious/routes/before_all.cr | 24 +++++++++++++++++++-----
 5 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/src/invidious.cr b/src/invidious.cr
index 7e7b2986..ef7db7b1 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -88,7 +88,6 @@ REDDIT_URL      = URI.parse("https://www.reddit.com")
 YT_URL          = URI.parse("https://www.youtube.com")
 PUBSUB_HOST_URL = CONFIG.pubsub_domain
 HOST_URL        = make_host_url(Kemal.config)
-EXT_VIDEOP_LIST = gen_videoplayback_proxy_list()
 
 CHARS_SAFE         = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
 TEST_IDS           = {"AgbeGFYluEA", "BaW_jenozKc", "a9LDPn-MO4I", "ddFvjfvPnqk", "iqKdEhx-dD4"}
diff --git a/src/invidious/config.cr b/src/invidious/config.cr
index 35f3503d..f4df3927 100644
--- a/src/invidious/config.cr
+++ b/src/invidious/config.cr
@@ -209,7 +209,7 @@ class Config
 
   # External videoplayback proxies list. They should include `https://`
   # at the start of the URI
-  property external_videoplayback_proxy : Array(NamedTuple(url: String, balance: Bool)) = [] of NamedTuple(url: String, balance: Bool)
+  property external_videoplayback_proxy : Array(String) = [] of String
 
   property pubsub_domain : String = ""
 
diff --git a/src/invidious/helpers/utils.cr b/src/invidious/helpers/utils.cr
index 0c50e751..5dd12e11 100644
--- a/src/invidious/helpers/utils.cr
+++ b/src/invidious/helpers/utils.cr
@@ -390,7 +390,7 @@ def gen_videoplayback_proxy_list
   if !CONFIG.external_videoplayback_proxy.empty?
     external_videoplayback_proxy = ""
     CONFIG.external_videoplayback_proxy.each do |proxy|
-      external_videoplayback_proxy += " #{proxy[:url]}"
+      external_videoplayback_proxy += " #{proxy}"
     end
   else
     external_videoplayback_proxy = ""
diff --git a/src/invidious/http_server/utils.cr b/src/invidious/http_server/utils.cr
index 89c0beb2..850bd2b0 100644
--- a/src/invidious/http_server/utils.cr
+++ b/src/invidious/http_server/utils.cr
@@ -9,14 +9,14 @@ module Invidious::HttpServer
     def check_external_proxy
       CONFIG.external_videoplayback_proxy.each do |proxy|
         begin
-          response = HTTP::Client.get("#{proxy[:url]}/health")
+          response = HTTP::Client.get("#{proxy}/health")
           if response.status_code == 200
-            @@proxy_alive = proxy[:url]
-            LOGGER.debug("CheckExternalProxy: Proxy set to: '#{proxy[:url]}'")
+            @@proxy_alive = proxy
+            LOGGER.debug("CheckExternalProxy: Proxy set to: '#{proxy}'")
             break
           end
         rescue
-          LOGGER.debug("CheckExternalProxy: Proxy '#{proxy[:url]}' is not available")
+          LOGGER.debug("CheckExternalProxy: Proxy '#{proxy}' is not available")
         end
       end
 	  if @@proxy_alive.empty?
diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr
index 0296651e..7c5c829c 100644
--- a/src/invidious/routes/before_all.cr
+++ b/src/invidious/routes/before_all.cr
@@ -20,12 +20,26 @@ module Invidious::Routes::BeforeAll
     env.response.headers["X-XSS-Protection"] = "1; mode=block"
     env.response.headers["X-Content-Type-Options"] = "nosniff"
 
+    extra_media_csp = ""
+    if CONFIG.invidious_companion.present?
+      extra_media_csp = " #{CONFIG.invidious_companion.sample.public_url}"
+    end
+
+    if !CONFIG.external_videoplayback_proxy.empty?
+      CONFIG.external_videoplayback_proxy.each do |proxy|
+        extra_media_csp += " #{proxy}"
+      end
+    end
+
     # Allow media resources to be loaded from google servers
     # TODO: check if *.youtube.com can be removed
     if CONFIG.disabled?("local") || !preferences.local
-      extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443"
-    else
-      extra_media_csp = ""
+      extra_media_csp += " https://*.googlevideo.com:443 https://*.youtube.com:443"
+    end
+
+    extra_connect_csp = ""
+    if CONFIG.invidious_companion.present?
+      extra_connect_csp = " #{CONFIG.invidious_companion.sample.public_url}"
     end
 
     # Only allow the pages at /embed/* to be embedded
@@ -43,9 +57,9 @@ module Invidious::Routes::BeforeAll
       "style-src 'self' 'unsafe-inline'",
       "img-src 'self' data:",
       "font-src 'self' data:",
-      "connect-src 'self'" + CONFIG.invidious_companion.sample.public_url + EXT_VIDEOP_LIST,
+      "connect-src 'self'" + extra_connect_csp,
       "manifest-src 'self'",
-      "media-src 'self' blob:" + extra_media_csp + CONFIG.invidious_companion.sample.public_url + EXT_VIDEOP_LIST,
+      "media-src 'self' blob:" + extra_media_csp,
       "child-src 'self' blob:",
       "frame-src 'self'",
       "frame-ancestors " + frame_ancestors,