refactor CSP and fix non proxied videoplayback due to CSP
All checks were successful
Invidious CI / build (push) Successful in 4m45s
All checks were successful
Invidious CI / build (push) Successful in 4m45s
Probably fixes #65
This commit is contained in:
parent
391659780d
commit
13e69dba80
5 changed files with 25 additions and 12 deletions
|
@ -88,7 +88,6 @@ REDDIT_URL = URI.parse("https://www.reddit.com")
|
|||
YT_URL = URI.parse("https://www.youtube.com")
|
||||
PUBSUB_HOST_URL = CONFIG.pubsub_domain
|
||||
HOST_URL = make_host_url(Kemal.config)
|
||||
EXT_VIDEOP_LIST = gen_videoplayback_proxy_list()
|
||||
|
||||
CHARS_SAFE = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
|
||||
TEST_IDS = {"AgbeGFYluEA", "BaW_jenozKc", "a9LDPn-MO4I", "ddFvjfvPnqk", "iqKdEhx-dD4"}
|
||||
|
|
|
@ -209,7 +209,7 @@ class Config
|
|||
|
||||
# External videoplayback proxies list. They should include `https://`
|
||||
# at the start of the URI
|
||||
property external_videoplayback_proxy : Array(NamedTuple(url: String, balance: Bool)) = [] of NamedTuple(url: String, balance: Bool)
|
||||
property external_videoplayback_proxy : Array(String) = [] of String
|
||||
|
||||
property pubsub_domain : String = ""
|
||||
|
||||
|
|
|
@ -390,7 +390,7 @@ def gen_videoplayback_proxy_list
|
|||
if !CONFIG.external_videoplayback_proxy.empty?
|
||||
external_videoplayback_proxy = ""
|
||||
CONFIG.external_videoplayback_proxy.each do |proxy|
|
||||
external_videoplayback_proxy += " #{proxy[:url]}"
|
||||
external_videoplayback_proxy += " #{proxy}"
|
||||
end
|
||||
else
|
||||
external_videoplayback_proxy = ""
|
||||
|
|
|
@ -9,14 +9,14 @@ module Invidious::HttpServer
|
|||
def check_external_proxy
|
||||
CONFIG.external_videoplayback_proxy.each do |proxy|
|
||||
begin
|
||||
response = HTTP::Client.get("#{proxy[:url]}/health")
|
||||
response = HTTP::Client.get("#{proxy}/health")
|
||||
if response.status_code == 200
|
||||
@@proxy_alive = proxy[:url]
|
||||
LOGGER.debug("CheckExternalProxy: Proxy set to: '#{proxy[:url]}'")
|
||||
@@proxy_alive = proxy
|
||||
LOGGER.debug("CheckExternalProxy: Proxy set to: '#{proxy}'")
|
||||
break
|
||||
end
|
||||
rescue
|
||||
LOGGER.debug("CheckExternalProxy: Proxy '#{proxy[:url]}' is not available")
|
||||
LOGGER.debug("CheckExternalProxy: Proxy '#{proxy}' is not available")
|
||||
end
|
||||
end
|
||||
if @@proxy_alive.empty?
|
||||
|
|
|
@ -20,12 +20,26 @@ module Invidious::Routes::BeforeAll
|
|||
env.response.headers["X-XSS-Protection"] = "1; mode=block"
|
||||
env.response.headers["X-Content-Type-Options"] = "nosniff"
|
||||
|
||||
extra_media_csp = ""
|
||||
if CONFIG.invidious_companion.present?
|
||||
extra_media_csp = " #{CONFIG.invidious_companion.sample.public_url}"
|
||||
end
|
||||
|
||||
if !CONFIG.external_videoplayback_proxy.empty?
|
||||
CONFIG.external_videoplayback_proxy.each do |proxy|
|
||||
extra_media_csp += " #{proxy}"
|
||||
end
|
||||
end
|
||||
|
||||
# Allow media resources to be loaded from google servers
|
||||
# TODO: check if *.youtube.com can be removed
|
||||
if CONFIG.disabled?("local") || !preferences.local
|
||||
extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443"
|
||||
else
|
||||
extra_media_csp = ""
|
||||
extra_media_csp += " https://*.googlevideo.com:443 https://*.youtube.com:443"
|
||||
end
|
||||
|
||||
extra_connect_csp = ""
|
||||
if CONFIG.invidious_companion.present?
|
||||
extra_connect_csp = " #{CONFIG.invidious_companion.sample.public_url}"
|
||||
end
|
||||
|
||||
# Only allow the pages at /embed/* to be embedded
|
||||
|
@ -43,9 +57,9 @@ module Invidious::Routes::BeforeAll
|
|||
"style-src 'self' 'unsafe-inline'",
|
||||
"img-src 'self' data:",
|
||||
"font-src 'self' data:",
|
||||
"connect-src 'self'" + CONFIG.invidious_companion.sample.public_url + EXT_VIDEOP_LIST,
|
||||
"connect-src 'self'" + extra_connect_csp,
|
||||
"manifest-src 'self'",
|
||||
"media-src 'self' blob:" + extra_media_csp + CONFIG.invidious_companion.sample.public_url + EXT_VIDEOP_LIST,
|
||||
"media-src 'self' blob:" + extra_media_csp,
|
||||
"child-src 'self' blob:",
|
||||
"frame-src 'self'",
|
||||
"frame-ancestors " + frame_ancestors,
|
||||
|
|
Loading…
Reference in a new issue