DEV: Remove blob: workers from CSP (#10440)

Ace editor is reconfigured to load workers directly from their JS URL. Workers must be on the same origin as the site, so they will not use the CDN.
This commit is contained in:
David Taylor 2020-08-14 18:15:30 +01:00 committed by GitHub
parent f52927cd33
commit 8ac85f54fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 5 additions and 3 deletions

View File

@ -1,5 +1,6 @@
import Component from "@ember/component"; import Component from "@ember/component";
import loadScript from "discourse/lib/load-script"; import loadScript from "discourse/lib/load-script";
import getURL from "discourse-common/lib/get-url";
import { observes } from "discourse-common/utils/decorators"; import { observes } from "discourse-common/utils/decorators";
import { on } from "@ember/object/evented"; import { on } from "@ember/object/evented";
@ -74,6 +75,9 @@ export default Component.extend({
loadScript("/javascripts/ace/ace.js").then(() => { loadScript("/javascripts/ace/ace.js").then(() => {
window.ace.require(["ace/ace"], loadedAce => { window.ace.require(["ace/ace"], loadedAce => {
loadedAce.config.set("loadWorkerFromBlob", false);
loadedAce.config.set("workerPath", getURL("/javascripts/ace")); // Do not use CDN for workers
if (!this.element || this.isDestroying || this.isDestroyed) { if (!this.element || this.isDestroying || this.isDestroyed) {
return; return;
} }

View File

@ -63,8 +63,7 @@ class ContentSecurityPolicy
def worker_src def worker_src
[ [
"'self'", "'self'", # For service worker
"blob:",
*script_assets(worker: true) *script_assets(worker: true)
] ]
end end

View File

@ -37,7 +37,6 @@ describe ContentSecurityPolicy do
worker_srcs = parse(policy)['worker-src'] worker_srcs = parse(policy)['worker-src']
expect(worker_srcs).to eq(%w[ expect(worker_srcs).to eq(%w[
'self' 'self'
blob:
http://test.localhost/assets/ http://test.localhost/assets/
http://test.localhost/brotli_asset/ http://test.localhost/brotli_asset/
http://test.localhost/javascripts/ http://test.localhost/javascripts/