From 2a91426824022e6aedbb0cb3141abcce6291f089 Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Wed, 2 Apr 2025 20:44:33 -0300
Subject: [PATCH] use Host header on `img-src 'self' data:` CSP

---
 src/invidious/routes/before_all.cr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr
index 2d5f1da3..e1edddbb 100644
--- a/src/invidious/routes/before_all.cr
+++ b/src/invidious/routes/before_all.cr
@@ -80,7 +80,7 @@ module Invidious::Routes::BeforeAll
       "default-src 'none'",
       "script-src 'self'",
       "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data: " + HOST_URL,
+      "img-src 'self' data: " + "#{env.request.headers["Host"]?}",
       "font-src 'self' data:",
       "connect-src 'self'" + extra_connect_csp,
       "manifest-src 'self'",