Merge branch 'bgervan/master'

document CORS_ALLOWED_ORIGINS variable
Don't mark live streams as seen
2026-06-13 16:40:05 +00:00 · 2026-04-10 08:10:00 +03:00 · 2026-04-10 08:09:20 +03:00 · 2026-04-10 06:41:45 +02:00 · 2026-04-09 19:45:51 -05:00
3 changed files with 14 additions and 4 deletions
@@ -82,6 +82,7 @@ Certain values can be set via environment variables, using the `-e` parameter on
 * __HTTPS__: Use `https` instead of `http` (__CERTFILE__ and __KEYFILE__ required). Defaults to `false`.
 * __CERTFILE__: HTTPS certificate file path.
 * __KEYFILE__: HTTPS key file path.
+* __CORS_ALLOWED_ORIGINS__: Comma-separated list of origins permitted to make cross-origin requests to the MeTube API. When unset or empty, all cross-origin requests are denied. This must be configured for [bookmarklets](#-bookmarklet) and any other browser-based tools that contact MeTube from a different origin. Example: `https://www.youtube.com,https://www.vimeo.com`.
 * __ROBOTS_TXT__: A path to a `robots.txt` file mounted in the container.

 ### 🏠 Basic Setup
@@ -239,6 +240,8 @@ __Firefox:__ contributed by [nanocortex](https://github.com/nanocortex). You can

 [kushfest](https://github.com/kushfest) has created a Chrome bookmarklet for sending the currently open webpage to MeTube. Please note that if you're on an HTTPS page, your MeTube instance must be configured with `HTTPS` as `true` in the environment, or be behind an HTTPS reverse proxy (see below) for the bookmarklet to work.

+Since bookmarklets run in the context of the current page (e.g. youtube.com), the requests they make to MeTube are cross-origin. You must add the origins of sites where you use the bookmarklet to the __CORS_ALLOWED_ORIGINS__ environment variable, otherwise the browser will block the requests. For example, to use the bookmarklet on YouTube and Vimeo: `CORS_ALLOWED_ORIGINS=https://www.youtube.com,https://www.vimeo.com`.
+
 GitHub doesn't allow embedding JavaScript as a link, so the bookmarklet has to be created manually by copying the following code to a new bookmark you create on your bookmarks bar. Change the hostname in the URL below to point to your MeTube instance.

 ```javascript
@@ -60,6 +60,7 @@ class Config:
        'YTDL_OPTIONS_PRESETS': '{}',
        'YTDL_OPTIONS_PRESETS_FILE': '',
        'ALLOW_YTDL_OPTIONS_OVERRIDES': 'false',
+        'CORS_ALLOWED_ORIGINS': '',
        'ROBOTS_TXT': '',
        'HOST': '0.0.0.0',
        'PORT': '8081',
@@ -223,7 +224,8 @@ class ObjectSerializer(json.JSONEncoder):

 serializer = ObjectSerializer()
 app = web.Application()
-sio = socketio.AsyncServer(cors_allowed_origins='*')
+_cors_origins = [o.strip() for o in config.CORS_ALLOWED_ORIGINS.split(',') if o.strip()] if config.CORS_ALLOWED_ORIGINS else []
+sio = socketio.AsyncServer(cors_allowed_origins=_cors_origins if _cors_origins else [])
 sio.attach(app, socketio_path=config.URL_PREFIX + 'socket.io')
 routes = web.RouteTableDef()
 VALID_SUBTITLE_FORMATS = {'srt', 'txt', 'vtt', 'ttml', 'sbv', 'scc', 'dfxp'}
@@ -912,8 +914,9 @@ app.router.add_route('OPTIONS', config.URL_PREFIX + 'upload-cookies', add_cors)
 app.router.add_route('OPTIONS', config.URL_PREFIX + 'delete-cookies', add_cors)

 async def on_prepare(request, response):
-    if 'Origin' in request.headers:
-        response.headers['Access-Control-Allow-Origin'] = request.headers['Origin']
+    origin = request.headers.get('Origin')
+    if origin and _cors_origins and origin in _cors_origins:
+        response.headers['Access-Control-Allow-Origin'] = origin
        response.headers['Access-Control-Allow-Headers'] = 'Content-Type'

 app.on_response_prepare.append(on_prepare)
@@ -483,6 +483,8 @@ class SubscriptionManager:
            seen_entries = [ent for ent in entries if _is_media_entry(ent)]
            all_ids: list[str] = []
            for ent in seen_entries:
+                if ent.get("live_status") == "is_upcoming":
+                    continue  # Don't mark scheduled streams as seen; queue them when they go live
                eid = _entry_id(ent)
                if eid:
                    all_ids.append(eid)
@@ -662,7 +664,9 @@ class SubscriptionManager:
        new_ids: list[str] = []
        for ent in entries:
            eid = _entry_id(ent)
-            if not eid or eid in seen:
+            if not eid:
+                continue
+            if eid in seen and ent.get("live_status") != "is_live":
                continue
            new_entries.append(ent)
            new_ids.append(eid)
Author	SHA1	Message	Date
Alex Shnitman	388aeb180d	Merge branch 'bgervan/master'	2026-04-10 08:10:00 +03:00
Alex Shnitman	aa60420ead	document CORS_ALLOWED_ORIGINS variable	2026-04-10 08:09:20 +03:00
Benjamin Gervan	a6e8617ad8	Don't mark live streams as seen	2026-04-10 06:41:45 +02:00
az10b	0072d3488a	Fix permissive CORS policy that allows cross-origin attacks The on_prepare handler unconditionally reflected the Origin request header into Access-Control-Allow-Origin, and Socket.IO was configured with cors_allowed_origins='*'. This allowed any website to make authenticated cross-origin requests to all API endpoints, enabling cross-origin download initiation, cookie overwrite, and data deletion. Replace the blanket origin reflection with an explicit allowlist via the CORS_ALLOWED_ORIGINS environment variable. When unset, cross-origin requests are denied by default. Users who need cross-origin access can set CORS_ALLOWED_ORIGINS to a comma-separated list of trusted origins.	2026-04-09 19:45:51 -05:00