From a749ac73acb19ec2e3897006183a4bb1f63ef99a Mon Sep 17 00:00:00 2001
From: Omar Roth <omarroth@hotmail.com>
Date: Wed, 5 Sep 2018 20:32:01 -0500
Subject: [PATCH] Add header check for CSRF

---
 src/invidious.cr | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/invidious.cr b/src/invidious.cr
index 22643016..f38a1343 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -106,6 +106,18 @@ spawn do
 end
 
 before_all do |env|
+  # CSRF
+  if Kemal.config.ssl || CONFIG.https_only
+    host = env.request.headers["Host"]?
+
+    if (env.request.headers["Origin"]?.try &.== host) ||
+       (env.request.headers["Referer"]?.try &.== host)
+      # All good!
+    else
+      halt env, status_code: 403, response: "Failed CSRF check"
+    end
+  end
+
   if env.request.cookies.has_key? "SID"
     headers = HTTP::Headers.new
     headers["Cookie"] = env.request.headers["Cookie"]