github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-20 17:52:45 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Add script asset locations to worker-src CSP directives

Browse Source 
We no longer need :blob worker src since d5463d2a. But we do want to allow workers to be loaded from all our existing script-src options.
This commit is contained in:
David Taylor 2020-08-14 12:30:39 +01:00
parent d5463d2a4d
commit a5608025aa
No known key found for this signature in database
GPG Key ID: 46904C18B1D3F434
2 changed files with 19 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
lib/content_security_policy/default.rb
View File

@ -23,19 +23,20 @@ class ContentSecurityPolicy
end
SCRIPT_ASSET_DIRECTORIES = [
# [dir, can_use_s3_cdn, can_use_cdn]
['/assets/', true, true],
['/brotli_asset/', true, true],
['/extra-locales/', false, false],
['/highlight-js/', false, true],
['/javascripts/', false, true],
['/plugins/', false, true],
['/theme-javascripts/', false, true],
['/svg-sprite/', false, true],
# [dir, can_use_s3_cdn, can_use_cdn, for_worker]
['/assets/', true, true, true],
['/brotli_asset/', true, true, true],
['/extra-locales/', false, false, false],
['/highlight-js/', false, true, false],
['/javascripts/', false, true, true],
['/plugins/', false, true, true],
['/theme-javascripts/', false, true, false],
['/svg-sprite/', false, true, false],
]
def script_assets(base = base_url, s3_cdn = GlobalSetting.s3_cdn_url, cdn = GlobalSetting.cdn_url)
SCRIPT_ASSET_DIRECTORIES.map do |dir, can_use_s3_cdn, can_use_cdn|
def script_assets(base = base_url, s3_cdn = GlobalSetting.s3_cdn_url, cdn = GlobalSetting.cdn_url, worker: false)
SCRIPT_ASSET_DIRECTORIES.map do |dir, can_use_s3_cdn, can_use_cdn, for_worker|
next if worker && !for_worker
if can_use_s3_cdn && s3_cdn
s3_cdn + dir
elsif can_use_cdn && cdn
@ -43,7 +44,7 @@ class ContentSecurityPolicy
else
base + dir
end
end
end.compact
end
def script_src
@ -62,8 +63,7 @@ class ContentSecurityPolicy
def worker_src
[
:self,
:blob, # ACE editor registers a service worker with a blob for syntax checking
*script_assets(worker: true)
]
end

8
spec/lib/content_security_policy_spec.rb
View File

@ -33,11 +33,13 @@ describe ContentSecurityPolicy do
end
describe 'worker-src' do
it 'always has self and blob' do
it 'always has script srcs' do
worker_srcs = parse(policy)['worker-src']
expect(worker_srcs).to eq(%w[
'self'
blob:
http://test.localhost/assets/
http://test.localhost/brotli_asset/
http://test.localhost/javascripts/
http://test.localhost/plugins/
])
end
end