Content Security Policy (CSP) blocking Invidious embed on some websites #541
Assignees
Comments
|
Nope... I tried so many ways but failed to bypass it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Invidious embed works on most sites (like discord.com) but on some sites it is blocked by Content Security Policy (CSP).
I know there seem to already be a workaround to bypass CSP and allow Invidious embed in the code:
https://github.com/libredirect/libredirect/blob/4625aa07feb647ecbaa9a2316e778a7bcc01c605/src/assets/javascripts/services.js#L830-L866
But the current workaround still fails on this website for example:
https://tournesol.app/entities/yt:nmgFG7PUHfo
In the dev console I get this:
Content Security Policy: The page’s settings blocked the loading of a resource at https://inv.odyssey346.dev/embed/nmgFG7PUHfo?autoplay=1&mute=0&controls=1&origin=https%3A%2F%2Ftournesol.app&playsinline=1&showinfo=0&rel=0&iv_load_policy=3&modestbranding=1&enablejsapi=1&widgetid=1 (“frame-src”).Edit:
I think it has something to do with the CSP being inside a meta tag instead of being inside a response header.
The text was updated successfully, but these errors were encountered: