[Bug] Content Security Policy violation when trying to embed in a local HTML file

[tomasz1986]

Describe the bug

1. Create a new HTML file with this content:

<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="utf-8">
	</head>
<body>
	<div>
		<object type="text/html" data="https://yewtu.be/embed/n3vQbR1GhmA"></object>
	</div>
</body>
</html>

2. Open the HTML in a browser.

Logs

Refused to frame 'https://yewtu.be/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' http: https:".

Additional context

The specific Invidious instance doesn't seem to matter, and also the behaviour seems the same in all Web browsers (e.g. Chromium, Firefox, Palemoon, etc.).

YouTube itself has no problems with embedding videos, and also Piped, the other YouTube alternative viewer, embeds with no issues this way.

[unixfox]

Why are you not using the "iframe" element from HTML?

<iframe id='ivplayer' width='640' height='360' src='https://yewtu.be/embed/n3vQbR1GhmA' style='border:none;'></iframe>

[tomasz1986]

The same error occurs. I don't think it matters which type of element is used to embed. I think the problem is because the embedded https:// site doesn't allow loading itself inside a page that uses the file:// protocol.

[unixfox]

The CSP is here, feel free to submit a PR: https://github.com/iv-org/invidious/blob/master/src/invidious/routes/before_all.cr#L33!

[tomasz1986]

Should I just add file: in there? Would this be accepted? I'm not running Invidious myself, so I can't really do any testing locally.

[unixfox]

Please see here if you want to test if it works: https://docs.invidious.io/installation/#docker-compose-method-development

[tomasz1986]

The PR is up, however I still can't say for sure whether this works or not. The reason is that if I run Invidious locally, then embedding in a local HTML file works even without the change. This is true both when accessing it on the same machine or from other devices on the same LAN.