You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
po token is leaked to clients in videoplayback request URLs.
I'm not entirely sure if it can be abused, but since pot is identifiable info it may be better to not leak it to clients watching videos on invidious instance.
Describe the solution you'd like
Rewrite the URL internally to add pot without exposing it to clients eg in video_playback route.
The text was updated successfully, but these errors were encountered:
Ideally we would like to do something about it, but ultimately it's too cumbersome to deal with.
Especially since we support the ability to turn off "proxy" and this won't work anymore if we hide the pot= parameter because the requests are directly sent to google servers by the browser/client.
Read also the big downside for public instances by doing this: #2142 (comment). Each separate proxy program (example http3-ytproxy) would have to be adapted for this case.
po token is leaked to clients in videoplayback request URLs.
I'm not entirely sure if it can be abused, but since
pot
is identifiable info it may be better to not leak it to clients watching videos on invidious instance.Describe the solution you'd like
Rewrite the URL internally to add
pot
without exposing it to clients eg in video_playback route.The text was updated successfully, but these errors were encountered: