From ddfd20d997b17dbccd69d6da617e294d73a091d1 Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Fri, 10 May 2019 15:29:10 -0500 Subject: [PATCH] Fix CSP for subdomains --- src/invidious.cr | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/invidious.cr b/src/invidious.cr index 25bd3672..eb1b5104 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -187,9 +187,10 @@ end proxies = PROXY_LIST before_all do |env| + host_url = make_host_url(config, Kemal.config) env.response.headers["X-XSS-Protection"] = "1; mode=block;" env.response.headers["X-Content-Type-Options"] = "nosniff" - env.response.headers["Content-Security-Policy"] = "default-src blob: data: 'self' 'unsafe-inline' 'unsafe-eval'; media-src blob: 'self' https://*.googlevideo.com:443" + env.response.headers["Content-Security-Policy"] = "default-src blob: data: 'self' #{host_url} 'unsafe-inline' 'unsafe-eval'; media-src blob: 'self' #{host_url} https://*.googlevideo.com:443" env.response.headers["Referrer-Policy"] = "same-origin" if Kemal.config.ssl || config.https_only