[Enhancement] Do not leak po token in videoplayback requests to clients #4841
Labels
enhancement
Improvement of an existing feature
Comments
|
It's the same issue as #2142 Ideally we would like to do something about it, but ultimately it's too cumbersome to deal with. Especially since we support the ability to turn off "proxy" and this won't work anymore if we hide the pot= parameter because the requests are directly sent to google servers by the browser/client. Read also the big downside for public instances by doing this: #2142 (comment). Each separate proxy program (example http3-ytproxy) would have to be adapted for this case. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
po token is leaked to clients in videoplayback request URLs.
I'm not entirely sure if it can be abused, but since
potis identifiable info it may be better to not leak it to clients watching videos on invidious instance.Describe the solution you'd like
Rewrite the URL internally to add
potwithout exposing it to clients eg in video_playback route.The text was updated successfully, but these errors were encountered: