From 2be240767c65a17e563fc80a389ac4e568c47d41 Mon Sep 17 00:00:00 2001
From: Omar Roth <omarroth@hotmail.com>
Date: Wed, 7 Nov 2018 23:05:50 -0600
Subject: [PATCH] Add Origin header checks

---
 src/invidious.cr                 | 9 +++++++++
 src/invidious/helpers/helpers.cr | 1 +
 2 files changed, 10 insertions(+)

diff --git a/src/invidious.cr b/src/invidious.cr
index 3c251d96..d8c7301e 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -128,6 +128,15 @@ if CONFIG.geo_bypass
 end
 
 before_all do |env|
+  if CONFIG.domains && env.request.headers["Origin"]?
+    origin = env.request.headers["Origin"]
+    domains = CONFIG.domains.not_nil!
+
+    if !domains.includes? origin
+      halt env, status_code: 403
+    end
+  end
+
   env.response.headers["X-XSS-Protection"] = "1; mode=block;"
   env.response.headers["X-Content-Type-Options"] = "nosniff"
 
diff --git a/src/invidious/helpers/helpers.cr b/src/invidious/helpers/helpers.cr
index 92a2e1b1..98357440 100644
--- a/src/invidious/helpers/helpers.cr
+++ b/src/invidious/helpers/helpers.cr
@@ -16,6 +16,7 @@ class Config
     hmac_key:     String?,
     full_refresh: Bool,
     geo_bypass:   Bool,
+    domains:      Array(String)?,
   })
 end