Add support for alternative domains for Invidious cookies#5647
Open
Fijxu wants to merge 2 commits intoiv-org:masterfrom
Open
Add support for alternative domains for Invidious cookies#5647Fijxu wants to merge 2 commits intoiv-org:masterfrom
Fijxu wants to merge 2 commits intoiv-org:masterfrom
Conversation
Fijxu
commented
Feb 23, 2026
Comment on lines
+14
to
+20
| # Not secure if it's being accessed from I2P | ||
| # Browsers expect the domain to include https. On I2P there is no HTTPS | ||
| # Tor browser works fine with secure being true | ||
| if (domain.try &.split(".").last == "i2p") && @@secure | ||
| @@secure = false | ||
| end | ||
|
|
Member
Author
There was a problem hiding this comment.
Just as a note, when using .i2p domains, secure has to be false, otherwise, the browser using an I2P proxy will reject the cookie. But this seems to be too hardcoded, so I was thinking about modifying alternative_domains to let the instance administrator to define if they want the Cookie to be secure or not secure, because it really depends on where they are hosting Invidious and how the browser of the client is configured. Something like this basically, but I'm not too sure so suggestions are appreciated!:
alternative_domains:
- something.i2p
secure: false
- othersomething.onion
secure: true
- alternative-clearnet.lol
secure: true
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1421
Adds a new configuration option called
alternative_domains, a list of additional domains from where the Invidious instance is hosted, this will make hosting Invidious in other domains like Tor hidden services, I2P tunnels, Yggdrasil or any other type of domain that is inserted.It needs the usage of a reverse proxy to pass the
X-Forwarded-Hostheader to Invidious, since that is the header that will be used to detect the alternative domains. It could be more flexible and just useHost, in that way, there is no need to use a reverse proxy, but I decided to go withX-Forwarded-Hostsince it's de-facto standard header for identifying the original host requested by the client in the Host HTTP request header. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Host)Instance administrators will also need to add their additional domains in their reverse proxy configuration, but that will depend on their reverse proxy configuration.
For nginx, that would mean adding the additional domain to their
server_nameserver directive, example:Here is a demonstration on how the
Set-Cookieheader looks like when using an alternative domain: