Rudloff
commented
3 years ago Thanks for the report!
I didn't know that form-action applied to redirects. (Apparently this is a debated issue: https://github.com/w3c/webappsec-csp/issues/8)
Closed mvnural closed 3 years ago
Rudloff
commented
3 years ago Thanks for the report!
I didn't know that form-action applied to redirects. (Apparently this is a debated issue: https://github.com/w3c/webappsec-csp/issues/8)
Rudloff
commented
3 years ago I published a hotfix.
New issue
On the info page, download button fails to start the download for any selected format. The console error message is
Refused to send form data to 'https://r5---sn-q0c7rn76.googlevideo.com/' because it violates the following Content Security Policy directive: "form-action 'self'".Of course, the URL in the error message changes with the download target but the result is the same. I believe this is due to this recent change: https://github.com/Rudloff/alltube/blob/f4a9528b569a9edff0bfcf92e4906da2a44eff72/classes/Middleware/CspMiddleware.php#L43 Removing the line or replacing it with->addSource('form-action', '*')fixes the issue.Your environment
Please answer these questions when reporting a new issue:
What is your operating system (Windows, Linux, OSX, etc.)?
Broken: Edge 86 on Windows 10, Chrome 86 on Linux (Ubuntu 20.04), Chrome 86 on Android 11 Works: Firefox 82 on Linux
What is your web server (Apache, IIS, etc.)? Both alltubedownload.net and local installation on Apache are broken What version of AllTube are you using? alltube-3.0.0-beta3 How did you install AllTube (with Git or with a release package)? Release package alltube-3.0.0-beta3 here.