routes: Allow embedding videos in local HTML files (fixes iv-org#4448)

The current Content Security Policy does not allow to embed videos inside local HTML files which are viewed in the browser via the file protocol. This commit adds the file protocol to the allowed frame ancestors, so that the embedded videos load correctly in local HTML files. This behaviour is consistent which how the official YouTube website allows to embed videos from itself. Signed-off-by: Tomasz Wilczyński <twilczynski@naver.com>
tomasz1986 · Feb 24, 2024 · 4adb4c0 · 4adb4c0
1 parent e8a3698
commit 4adb4c0
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/invidious/routes/before_all.cr b/src/invidious/routes/before_all.cr
@@ -30,7 +30,7 @@ module Invidious::Routes::BeforeAll
 
     # Only allow the pages at /embed/* to be embedded
     if env.request.resource.starts_with?("/embed")
-      frame_ancestors = "'self' http: https:"
+      frame_ancestors = "'self' file: http: https:"
     else
       frame_ancestors = "'none'"
     end