From 02667f4348af95a94dd47d22dc7122e8fa440aa1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kasper=20Rynning-T=C3=B8nnesen?= <kasper@kasperrt.no>
Date: Tue, 3 Apr 2018 16:19:11 +0200
Subject: [PATCH] Imageblob only from allowed origin

---
 server/public/assets/js/frontpage.js | 3 +++
 server/routing/client/api.js         | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/public/assets/js/frontpage.js b/server/public/assets/js/frontpage.js
index e1affe0f..bb0d236f 100755
--- a/server/public/assets/js/frontpage.js
+++ b/server/public/assets/js/frontpage.js
@@ -221,6 +221,9 @@ var Frontpage = {
                             $("#mega-background").css("opacity", 1);
                             $(".autocomplete").attr("placeholder", list[i]._id);
                         },500);
+                    },
+                    error: function() {
+                        $(".autocomplete").attr("placeholder", list[i]._id);
                     }
                 });
             };
diff --git a/server/routing/client/api.js b/server/routing/client/api.js
index abfa3d82..2c665462 100644
--- a/server/routing/client/api.js
+++ b/server/routing/client/api.js
@@ -1095,10 +1095,16 @@ function incrementToken(token) {
 
 router.route('/api/imageblob').post(function(req, res) {
     var Jimp = require("jimp");
+    var origin = req.get("origin").replace("https://", "").replace("http://", "");
+    var allowed = ["client.localhost", "localhost", "zoff.me", "client.zoff.me", "zoff.no", "client.zoff.no"];
+    if(allowed.indexOf(origin) < 0) {
+        res.sendStatus(403);
+        return;
+    }
     Jimp.read('https://img.youtube.com/vi/' + req.body.id + '/mqdefault.jpg', function (err, image) {
         if (err) {
             console.log(err);
-            res.send(404);
+            res.sendStatus(404);
             return;
         }
         image.blur(50)