Alltube assumes http for resource's base url, conflicts with CSP when https is enabled.

[MCOfficer]

New issue

Your environment

Please answer these questions when reporting a new issue:

What is your operating system (Windows, Linux, OSX, etc.)?

Linux

What is your web server (Apache, IIS, etc.)?

Nginx as reverse proxy in front, your dockerized apache-based alltube behind it.

What version of AllTube are you using?

a8cc79a82c556d3ee36d8fd93bccdf064cf4bea8c09ce65ad0f60d9017dc5fc6 on docker hub, not sure how to find the program version. I'm assuming that's 3.0.0.

How did you install AllTube (with Git or with a release package)?

Pulled from docker hub, via docker-compose.

What version of PHP are you using?

whatever's in the image.

What version of Python are you using?

\^

What version of youtube-dl are you using?

\^

Do you get any PHP-related errors in your webserver's logs?

No.

What is the content of your config/config.yml file?

the issue is reproducible without any config file, so whatever alltube's defaults are.

Please provide the URL of a video that causes the issue.

/

Describe your issue

I have AllTube set up as docker container behind an nginx reverse proxy, which also handles HTTPS. HTTP is permitted, but redirected to HTTPS. The communication between nginx and the alltube container is http.

To give alltube the correct context, I'm making use of the X-Forwarded-* headers, as suggested in the readme.

However, alltube serves an HTML with these resources:

        <link rel="stylesheet" href="http://my.domain/alltube/assets/open-sans/open-sans.css"/>
    <link rel="stylesheet" href="http://my.domain/alltube/css/style.css"/>

And this CSP header:

content-security-policy: base-uri 'none'; default-src 'none'; font-src 'self'; form-action *; frame-ancestors 'none'; img-src *; manifest-src 'self'; style-src 'self';

Which both seems correct at first, but still my browser (Firefox 89) blocks the request to these 2 resources:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).

According to MDN, self is defined as (emphasis mine)

Refers to the origin from which the protected document is being served, including the same URL scheme and port number.

So by my understanding, it should be https://my.domain/alltube/css/style.css.

Specifying X-Forwarded-Port: 443 doesn't help either, since it results in the following HTML, which also gets blocked:

        <link rel="stylesheet" href="http://my.domain:443/alltube/assets/open-sans/open-sans.css"/>
    <link rel="stylesheet" href="http://my.domain:443/alltube/css/style.css"/>

Any advice? Is this is a genuine bug, or simply erroneous setup?

[Rudloff]

If AllTube is behind a reverse-proxy, it might not be able to detect that the original connection uses HTTPS. In this case, your reverse-proxy needs to set this header:

X-Forwarded-Proto: https

[MCOfficer]

If AllTube is behind a reverse-proxy, it might not be able to detect that the original connection uses HTTPS. In this case, your reverse-proxy needs to set this header:

X-Forwarded-Proto: https

Yes, that did the trick, thank you!

I wasn't aware alltube also supports the X-Forwarded-Proto header. Could you please add this to the README? I can also open a PR if need be.

[Rudloff]

A PR would be welcome :slightly_smiling_face: