mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 16:02:46 +08:00
DEV: Remove blob: workers from CSP (#10440)
Ace editor is reconfigured to load workers directly from their JS URL. Workers must be on the same origin as the site, so they will not use the CDN.
This commit is contained in:
parent
f52927cd33
commit
8ac85f54fb
|
@ -1,5 +1,6 @@
|
|||
import Component from "@ember/component";
|
||||
import loadScript from "discourse/lib/load-script";
|
||||
import getURL from "discourse-common/lib/get-url";
|
||||
import { observes } from "discourse-common/utils/decorators";
|
||||
import { on } from "@ember/object/evented";
|
||||
|
||||
|
@ -74,6 +75,9 @@ export default Component.extend({
|
|||
|
||||
loadScript("/javascripts/ace/ace.js").then(() => {
|
||||
window.ace.require(["ace/ace"], loadedAce => {
|
||||
loadedAce.config.set("loadWorkerFromBlob", false);
|
||||
loadedAce.config.set("workerPath", getURL("/javascripts/ace")); // Do not use CDN for workers
|
||||
|
||||
if (!this.element || this.isDestroying || this.isDestroyed) {
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -63,8 +63,7 @@ class ContentSecurityPolicy
|
|||
|
||||
def worker_src
|
||||
[
|
||||
"'self'",
|
||||
"blob:",
|
||||
"'self'", # For service worker
|
||||
*script_assets(worker: true)
|
||||
]
|
||||
end
|
||||
|
|
|
@ -37,7 +37,6 @@ describe ContentSecurityPolicy do
|
|||
worker_srcs = parse(policy)['worker-src']
|
||||
expect(worker_srcs).to eq(%w[
|
||||
'self'
|
||||
blob:
|
||||
http://test.localhost/assets/
|
||||
http://test.localhost/brotli_asset/
|
||||
http://test.localhost/javascripts/
|
||||
|
|
Loading…
Reference in New Issue
Block a user