From 42d9fd9c888d58f5597cf4d54a0628cb60aa9a7a Mon Sep 17 00:00:00 2001
From: Samantaz Fox <coding@samantaz.fr>
Date: Thu, 17 Jun 2021 19:45:20 +0200
Subject: [PATCH 1/2] Rewrite response headers

Fixes #2018 and #2153
---
 src/invidious.cr | 39 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/src/invidious.cr b/src/invidious.cr
index ebba52b1..fbd1a834 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -174,15 +174,44 @@ before_all do |env|
   env.set "preferences", preferences
   env.response.headers["X-XSS-Protection"] = "1; mode=block"
   env.response.headers["X-Content-Type-Options"] = "nosniff"
-  extra_media_csp = ""
+
+  # Allow media ressources to be loaded from google servers
+  # TODO: check if *.youtube.com can be removed
   if CONFIG.disabled?("local") || !preferences.local
-    extra_media_csp += " https://*.googlevideo.com:443"
-    extra_media_csp += " https://*.youtube.com:443"
+    extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443"
+  else
+    extra_media_csp = ""
   end
-  # TODO: Remove style-src's 'unsafe-inline', requires to remove all inline styles (<style> [..] </style>, style=" [..] ")
-  env.response.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob:#{extra_media_csp}; child-src blob:"
+
+  # Only allow the pages at /embed/* to be embedded
+  if env.request.resource.starts_with?("/embed")
+    frame_ancestors = "'self' http: https:"
+  else
+    frame_ancestors = "none"
+  end
+
+  # TODO: Remove style-src's 'unsafe-inline', requires to remove all
+  # inline styles (<style> [..] </style>, style=" [..] ")
+  env.response.headers["Content-Security-Policy"] = {
+    "default-src 'none'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data:",
+    "font-src 'self' data:",
+    "connect-src 'self'",
+    "manifest-src 'self'",
+    "media-src 'self' blob:" + extra_media_csp,
+    "child-src 'self' blob:",
+    "frame-src 'self'",
+    "frame-ancestors " + frame_ancestors,
+  }.join("; ")
+
   env.response.headers["Referrer-Policy"] = "same-origin"
 
+  # Ask the chrom*-based browsers to disable FLoC
+  # See: https://blog.runcloud.io/google-floc/
+  env.response.headers["Permissions-Policy"] = "interest-cohort=()"
+
   if (Kemal.config.ssl || CONFIG.https_only) && CONFIG.hsts
     env.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
   end

From b8f0b4b583cde748574dc62af5146e5c4221c22c Mon Sep 17 00:00:00 2001
From: TheFrenchGhosty <47571719+TheFrenchGhosty@users.noreply.github.com>
Date: Sat, 19 Jun 2021 09:40:33 +0200
Subject: [PATCH 2/2] Typo

---
 src/invidious.cr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/invidious.cr b/src/invidious.cr
index fbd1a834..7037ecfe 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -175,7 +175,7 @@ before_all do |env|
   env.response.headers["X-XSS-Protection"] = "1; mode=block"
   env.response.headers["X-Content-Type-Options"] = "nosniff"
 
-  # Allow media ressources to be loaded from google servers
+  # Allow media resources to be loaded from google servers
   # TODO: check if *.youtube.com can be removed
   if CONFIG.disabled?("local") || !preferences.local
     extra_media_csp = " https://*.googlevideo.com:443 https://*.youtube.com:443"