diff --git a/src/invidious/http_server/utils.cr b/src/invidious/http_server/utils.cr index 623a9177..c42a832f 100644 --- a/src/invidious/http_server/utils.cr +++ b/src/invidious/http_server/utils.cr @@ -4,7 +4,7 @@ module Invidious::HttpServer module Utils extend self - def proxy_video_url(raw_url : String, *, region : String? = nil, absolute : Bool = false) + def proxy_video_url(raw_url : String, *, region : String? = nil, absolute : Bool = false, host : String? = "") url = URI.parse(raw_url) # Add some URL parameters @@ -14,7 +14,7 @@ module Invidious::HttpServer url.query_params = params if absolute - return "#{HOST_URL}#{url.request_target}" + return "#{host}#{url.request_target}" else return url.request_target end diff --git a/src/invidious/routes/api/manifest.cr b/src/invidious/routes/api/manifest.cr index c27caad7..425a92cc 100644 --- a/src/invidious/routes/api/manifest.cr +++ b/src/invidious/routes/api/manifest.cr @@ -1,6 +1,8 @@ module Invidious::Routes::API::Manifest # /api/manifest/dash/id/:id def self.get_dash_video_id(env) + host = env.request.headers["Host"] + env.response.headers.add("Access-Control-Allow-Origin", "*") env.response.content_type = "application/dash+xml" @@ -36,7 +38,7 @@ module Invidious::Routes::API::Manifest # Other API clients can get the original URLs by omiting `local=true`. manifest = response.body.gsub(/[^<]+<\/BaseURL>/) do |baseurl| url = baseurl.lchop("").rchop("") - url = HttpServer::Utils.proxy_video_url(url, absolute: true) if local + url = HttpServer::Utils.proxy_video_url(url, absolute: true, host: host) if local "#{url}" end @@ -46,7 +48,7 @@ module Invidious::Routes::API::Manifest # Ditto, only proxify URLs if `local=true` is used if local video.adaptive_fmts.each do |fmt| - fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s, absolute: true)) + fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s, absolute: true, host: host)) end end @@ -167,6 +169,8 @@ module Invidious::Routes::API::Manifest # /api/manifest/hls_playlist/* def self.get_hls_playlist(env) + host = env.request.headers["Host"] + response = YT_POOL.client &.get(env.request.path) if response.status_code != 200 @@ -214,7 +218,7 @@ module Invidious::Routes::API::Manifest raw_params["host"] = uri.host.not_nil! - "#{HOST_URL}/videoplayback?#{raw_params}" + "#{host}/videoplayback?#{raw_params}" end end @@ -223,6 +227,8 @@ module Invidious::Routes::API::Manifest # /api/manifest/hls_variant/* def self.get_hls_variant(env) + host = env.request.headers["Host"] + response = YT_POOL.client &.get(env.request.path) if response.status_code != 200 @@ -237,7 +243,7 @@ module Invidious::Routes::API::Manifest manifest = response.body if local - manifest = manifest.gsub("https://www.youtube.com", HOST_URL) + manifest = manifest.gsub("https://www.youtube.com", host) manifest = manifest.gsub("index.m3u8", "index.m3u8?local=true") end diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr index a35d2f2b..ced82989 100644 --- a/src/invidious/routes/api/v1/authenticated.cr +++ b/src/invidious/routes/api/v1/authenticated.cr @@ -208,6 +208,8 @@ module Invidious::Routes::API::V1::Authenticated end def self.create_playlist(env) + host = env.request.headers["Host"] + env.response.content_type = "application/json" user = env.get("user").as(User) @@ -226,7 +228,7 @@ module Invidious::Routes::API::V1::Authenticated end playlist = create_playlist(title, privacy, user) - env.response.headers["Location"] = "#{HOST_URL}/api/v1/auth/playlists/#{playlist.id}" + env.response.headers["Location"] = "#{host}/api/v1/auth/playlists/#{playlist.id}" env.response.status_code = 201 { "title" => title, @@ -290,6 +292,8 @@ module Invidious::Routes::API::V1::Authenticated end def self.insert_video_into_playlist(env) + host = env.request.headers["Host"] + env.response.content_type = "application/json" user = env.get("user").as(User) @@ -336,7 +340,7 @@ module Invidious::Routes::API::V1::Authenticated Invidious::Database::PlaylistVideos.insert(playlist_video) Invidious::Database::Playlists.update_video_added(plid, playlist_video.index) - env.response.headers["Location"] = "#{HOST_URL}/api/v1/auth/playlists/#{plid}/videos/#{playlist_video.index.to_u64.to_s(16).upcase}" + env.response.headers["Location"] = "#{host}/api/v1/auth/playlists/#{plid}/videos/#{playlist_video.index.to_u64.to_s(16).upcase}" env.response.status_code = 201 JSON.build do |json| diff --git a/src/invidious/routes/embed.cr b/src/invidious/routes/embed.cr index 930e4915..99199268 100644 --- a/src/invidious/routes/embed.cr +++ b/src/invidious/routes/embed.cr @@ -34,6 +34,7 @@ module Invidious::Routes::Embed def self.show(env) locale = env.get("preferences").as(Preferences).locale + host = env.request.headers["Host"] id = env.params.url["id"] plid = env.params.query["list"]?.try &.gsub(/[^a-zA-Z0-9_-]/, "") @@ -161,11 +162,11 @@ module Invidious::Routes::Embed adaptive_fmts = video.adaptive_fmts if params.local - fmt_stream.each { |fmt| fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s)) } + fmt_stream.each { |fmt| fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s, host: host)) } end # Always proxy DASH streams, otherwise youtube CORS headers will prevent playback - adaptive_fmts.each { |fmt| fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s)) } + adaptive_fmts.each { |fmt| fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s, host: host)) } video_streams = video.video_streams audio_streams = video.audio_streams diff --git a/src/invidious/routes/errors.cr b/src/invidious/routes/errors.cr index 1e9ab44e..5f0619d6 100644 --- a/src/invidious/routes/errors.cr +++ b/src/invidious/routes/errors.cr @@ -1,7 +1,7 @@ module Invidious::Routes::ErrorRoutes def self.error_404(env) # Workaround for #3117 - if HOST_URL.empty? && env.request.path.starts_with?("/v1/storyboards/sb") + if env.request.headers["Host"].empty? && env.request.path.starts_with?("/v1/storyboards/sb") return env.redirect "#{env.request.path[15..]}?#{env.params.query}" end diff --git a/src/invidious/routes/feeds.cr b/src/invidious/routes/feeds.cr index abfea9ee..dc4ab547 100644 --- a/src/invidious/routes/feeds.cr +++ b/src/invidious/routes/feeds.cr @@ -143,6 +143,8 @@ module Invidious::Routes::Feeds # RSS feeds def self.rss_channel(env) + host = env.request.headers["Host"] + env.response.headers["Content-Type"] = "application/atom+xml" env.response.content_type = "application/atom+xml" @@ -199,21 +201,21 @@ module Invidious::Routes::Feeds xml.element("feed", "xmlns:yt": "http://www.youtube.com/xml/schemas/2015", "xmlns:media": "http://search.yahoo.com/mrss/", xmlns: "http://www.w3.org/2005/Atom", "xml:lang": "en-US") do - xml.element("link", rel: "self", href: "#{HOST_URL}#{env.request.resource}") + xml.element("link", rel: "self", href: "#{host}#{env.request.resource}") xml.element("id") { xml.text "yt:channel:#{ucid}" } xml.element("yt:channelId") { xml.text ucid } xml.element("title") { author } - xml.element("link", rel: "alternate", href: "#{HOST_URL}/channel/#{ucid}") + xml.element("link", rel: "alternate", href: "#{host}/channel/#{ucid}") xml.element("author") do xml.element("name") { xml.text author } - xml.element("uri") { xml.text "#{HOST_URL}/channel/#{ucid}" } + xml.element("uri") { xml.text "#{host}/channel/#{ucid}" } end xml.element("image") do xml.element("url") { xml.text "" } xml.element("title") { xml.text author } - xml.element("link", rel: "self", href: "#{HOST_URL}#{env.request.resource}") + xml.element("link", rel: "self", href: "#{host}#{env.request.resource}") end videos.each do |video| @@ -225,6 +227,7 @@ module Invidious::Routes::Feeds def self.rss_private(env) locale = env.get("preferences").as(Preferences).locale + host = env.request.headers["Host"] env.response.headers["Content-Type"] = "application/atom+xml" env.response.content_type = "application/atom+xml" @@ -255,9 +258,9 @@ module Invidious::Routes::Feeds xml.element("feed", "xmlns:yt": "http://www.youtube.com/xml/schemas/2015", "xmlns:media": "http://search.yahoo.com/mrss/", xmlns: "http://www.w3.org/2005/Atom", "xml:lang": "en-US") do - xml.element("link", "type": "text/html", rel: "alternate", href: "#{HOST_URL}/feed/subscriptions") + xml.element("link", "type": "text/html", rel: "alternate", href: "#{host}/feed/subscriptions") xml.element("link", "type": "application/atom+xml", rel: "self", - href: "#{HOST_URL}#{env.request.resource}") + href: "#{host}#{env.request.resource}") xml.element("title") { xml.text translate(locale, "Invidious Private Feed for `x`", user.email) } (notifications + videos).each do |video| @@ -269,6 +272,7 @@ module Invidious::Routes::Feeds def self.rss_playlist(env) locale = env.get("preferences").as(Preferences).locale + host = env.request.headers["Host"] env.response.headers["Content-Type"] = "application/atom+xml" env.response.content_type = "application/atom+xml" @@ -286,11 +290,11 @@ module Invidious::Routes::Feeds xml.element("feed", "xmlns:yt": "http://www.youtube.com/xml/schemas/2015", "xmlns:media": "http://search.yahoo.com/mrss/", xmlns: "http://www.w3.org/2005/Atom", "xml:lang": "en-US") do - xml.element("link", rel: "self", href: "#{HOST_URL}#{env.request.resource}") + xml.element("link", rel: "self", href: "#{host}#{env.request.resource}") xml.element("id") { xml.text "iv:playlist:#{plid}" } xml.element("iv:playlistId") { xml.text plid } xml.element("title") { xml.text playlist.title } - xml.element("link", rel: "alternate", href: "#{HOST_URL}/playlist?list=#{plid}") + xml.element("link", rel: "alternate", href: "#{host}/playlist?list=#{plid}") xml.element("author") do xml.element("name") { xml.text playlist.author } @@ -320,7 +324,7 @@ module Invidious::Routes::Feeds when "url", "href" request_target = URI.parse(node[attribute.name]).request_target query_string_opt = request_target.starts_with?("/watch?v=") ? "&#{params}" : "" - node[attribute.name] = "#{HOST_URL}#{request_target}#{query_string_opt}" + node[attribute.name] = "#{host}#{request_target}#{query_string_opt}" else nil # Skip end end @@ -329,7 +333,7 @@ module Invidious::Routes::Feeds document = document.to_xml(options: XML::SaveOptions::NO_DECL) document.scan(/(?[^<]+)<\/uri>/).each do |match| - content = "#{HOST_URL}#{URI.parse(match["url"]).request_target}" + content = "#{host}#{URI.parse(match["url"]).request_target}" document = document.gsub(match[0], "#{content}") end document diff --git a/src/invidious/routes/login.cr b/src/invidious/routes/login.cr index e7de5018..d53ca2d6 100644 --- a/src/invidious/routes/login.cr +++ b/src/invidious/routes/login.cr @@ -26,6 +26,7 @@ module Invidious::Routes::Login def self.login(env) locale = env.get("preferences").as(Preferences).locale + host = env.request.headers["Host"] referer = get_referer(env, "/feed/subscriptions") @@ -57,7 +58,7 @@ module Invidious::Routes::Login sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) Invidious::Database::SessionIDs.insert(sid, email) - env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid) + env.response.cookies["SID"] = Invidious::User::Cookies.sid(host, sid) else return error_template(401, "Wrong username or password") end @@ -121,7 +122,7 @@ module Invidious::Routes::Login view_name = "subscriptions_#{sha256(user.email)}" PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}") - env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid) + env.response.cookies["SID"] = Invidious::User::Cookies.sid(host, sid) if env.request.cookies["PREFS"]? user.preferences = env.get("preferences").as(Preferences) diff --git a/src/invidious/routes/preferences.cr b/src/invidious/routes/preferences.cr index 39ca77c0..62d9c1d8 100644 --- a/src/invidious/routes/preferences.cr +++ b/src/invidious/routes/preferences.cr @@ -14,6 +14,7 @@ module Invidious::Routes::PreferencesRoute def self.update(env) locale = env.get("preferences").as(Preferences).locale referer = get_referer(env) + host = env.request.headers["Host"] video_loop = env.params.body["video_loop"]?.try &.as(String) video_loop ||= "off" @@ -223,8 +224,8 @@ module Invidious::Routes::PreferencesRoute File.write("config/config.yml", CONFIG.to_yaml) end - else - env.response.cookies["PREFS"] = Invidious::User::Cookies.prefs(CONFIG.domain, preferences) + + env.response.cookies["PREFS"] = Invidious::User::Cookies.prefs(host, preferences) end env.redirect referer @@ -233,6 +234,7 @@ module Invidious::Routes::PreferencesRoute def self.toggle_theme(env) locale = env.get("preferences").as(Preferences).locale referer = get_referer(env, unroll: false) + host = env.request.headers["Host"] redirect = env.params.query["redirect"]? redirect ||= "true" @@ -259,7 +261,7 @@ module Invidious::Routes::PreferencesRoute preferences.dark_mode = "dark" end - env.response.cookies["PREFS"] = Invidious::User::Cookies.prefs(CONFIG.domain, preferences) + env.response.cookies["PREFS"] = Invidious::User::Cookies.prefs(host, preferences) end if redirect diff --git a/src/invidious/routes/search.cr b/src/invidious/routes/search.cr index b195c7b3..e650d4d5 100644 --- a/src/invidious/routes/search.cr +++ b/src/invidious/routes/search.cr @@ -3,6 +3,8 @@ module Invidious::Routes::Search def self.opensearch(env) locale = env.get("preferences").as(Preferences).locale + host = env.request.headers["Host"] + env.response.content_type = "application/opensearchdescription+xml" XML.build(indent: " ", encoding: "UTF-8") do |xml| @@ -11,8 +13,8 @@ module Invidious::Routes::Search xml.element("LongName") { xml.text "Invidious Search" } xml.element("Description") { xml.text "Search for videos, channels, and playlists on Invidious" } xml.element("InputEncoding") { xml.text "UTF-8" } - xml.element("Image", width: 48, height: 48, type: "image/x-icon") { xml.text "#{HOST_URL}/favicon.ico" } - xml.element("Url", type: "text/html", method: "get", template: "#{HOST_URL}/search?q={searchTerms}") + xml.element("Image", width: 48, height: 48, type: "image/x-icon") { xml.text "#{host}/favicon.ico" } + xml.element("Url", type: "text/html", method: "get", template: "#{host}/search?q={searchTerms}") end end end diff --git a/src/invidious/routes/video_playback.cr b/src/invidious/routes/video_playback.cr index 083087a9..5368df68 100644 --- a/src/invidious/routes/video_playback.cr +++ b/src/invidious/routes/video_playback.cr @@ -2,6 +2,7 @@ module Invidious::Routes::VideoPlayback # /videoplayback def self.get_video_playback(env) locale = env.get("preferences").as(Preferences).locale + host_ = env.request.headers["Host"] query_params = env.params.query fvip = query_params["fvip"]? || "3" @@ -107,7 +108,7 @@ module Invidious::Routes::VideoPlayback env.response.headers["Access-Control-Allow-Origin"] = "*" if location = resp.headers["Location"]? - url = Invidious::HttpServer::Utils.proxy_video_url(location, region: region) + url = Invidious::HttpServer::Utils.proxy_video_url(location, region: region, host: host_) return env.redirect url end @@ -165,7 +166,7 @@ module Invidious::Routes::VideoPlayback env.response.headers["Access-Control-Allow-Origin"] = "*" if location = resp.headers["Location"]? - url = Invidious::HttpServer::Utils.proxy_video_url(location, region: region) + url = Invidious::HttpServer::Utils.proxy_video_url(location, region: region, host: host_) if title = query_params["title"]? url = "#{url}&title=#{URI.encode_www_form(title)}" diff --git a/src/invidious/routes/watch.cr b/src/invidious/routes/watch.cr index e777b3f1..d34eb33d 100644 --- a/src/invidious/routes/watch.cr +++ b/src/invidious/routes/watch.cr @@ -4,6 +4,7 @@ module Invidious::Routes::Watch def self.handle(env) locale = env.get("preferences").as(Preferences).locale region = env.params.query["region"]? + host = env.request.headers["Host"] if env.params.query.to_s.includes?("%20") || env.params.query.to_s.includes?("+") url = "/watch?" + env.params.query.to_s.gsub("%20", "").delete("+") @@ -121,11 +122,11 @@ module Invidious::Routes::Watch adaptive_fmts = video.adaptive_fmts if params.local - fmt_stream.each { |fmt| fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s)) } + fmt_stream.each { |fmt| fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s, host: host)) } end # Always proxy DASH streams, otherwise youtube CORS headers will prevent playback - adaptive_fmts.each { |fmt| fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s)) } + adaptive_fmts.each { |fmt| fmt["url"] = JSON::Any.new(HttpServer::Utils.proxy_video_url(fmt["url"].as_s, host: host)) } video_streams = video.video_streams audio_streams = video.audio_streams diff --git a/src/invidious/user/cookies.cr b/src/invidious/user/cookies.cr index 654efc15..38c5fae1 100644 --- a/src/invidious/user/cookies.cr +++ b/src/invidious/user/cookies.cr @@ -6,17 +6,23 @@ struct Invidious::User # Note: we use ternary operator because the two variables # used in here are not booleans. - SECURE = (Kemal.config.ssl || CONFIG.https_only) ? true : false + @@secure = (Kemal.config.ssl || CONFIG.https_only) ? true : false # Session ID (SID) cookie # Parameter "domain" comes from the global config def sid(domain : String?, sid) : HTTP::Cookie + # Not secure if it's being accessed from I2P + # Browsers expect the domain to include https. On I2P there is no HTTPS + if domain.not_nil!.split(".").last == "i2p" + @@secure = false + end + return HTTP::Cookie.new( name: "SID", domain: domain, value: sid, expires: Time.utc + 2.years, - secure: SECURE, + secure: @@secure, http_only: true, samesite: HTTP::Cookie::SameSite::Lax ) @@ -25,12 +31,18 @@ struct Invidious::User # Preferences (PREFS) cookie # Parameter "domain" comes from the global config def prefs(domain : String?, preferences : Preferences) : HTTP::Cookie + # Not secure if it's being accessed from I2P + # Browsers expect the domain to include https. On I2P there is no HTTPS + if domain.not_nil!.split(".").last == "i2p" + @@secure = false + end + return HTTP::Cookie.new( name: "PREFS", domain: domain, value: URI.encode_www_form(preferences.to_json), expires: Time.utc + 2.years, - secure: SECURE, + secure: @@secure, http_only: false, samesite: HTTP::Cookie::SameSite::Lax ) diff --git a/src/invidious/views/channel.ecr b/src/invidious/views/channel.ecr index 686de6bd..d9c26cd9 100644 --- a/src/invidious/views/channel.ecr +++ b/src/invidious/views/channel.ecr @@ -25,21 +25,22 @@ first_page: continuation.nil?, params: env.params.query, ) + host = env.request.headers["Host"] %> <% content_for "header" do %> <%- if selected_tab.videos? -%> - + - + - + - + <%- end -%> diff --git a/src/invidious/views/watch.ecr b/src/invidious/views/watch.ecr index 6f9ced6f..b485dfae 100644 --- a/src/invidious/views/watch.ecr +++ b/src/invidious/views/watch.ecr @@ -1,29 +1,29 @@ <% ucid = video.ucid %> <% title = HTML.escape(video.title) %> <% author = HTML.escape(video.author) %> - +<% host = env.request.headers["Host"] %> <% content_for "header" do %> "> - + - + - - + + - + - - + +