Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DEV: Remove blob: workers from CSP (#10440) 

Ace editor is reconfigured to load workers directly from their JS URL. Workers must be on the same origin as the site, so they will not use the CDN.
This commit is contained in:
David Taylor 2020-08-14 18:15:30 +01:00 committed by GitHub
parent f52927cd33
commit 8ac85f54fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/assets/javascripts/admin/components/ace-editor.js
View File

@ -1,5 +1,6 @@
import Component from "@ember/component";
import loadScript from "discourse/lib/load-script";
import getURL from "discourse-common/lib/get-url";
import { observes } from "discourse-common/utils/decorators";
import { on } from "@ember/object/evented";
@ -74,6 +75,9 @@ export default Component.extend({
loadScript("/javascripts/ace/ace.js").then(() => {
window.ace.require(["ace/ace"], loadedAce => {
loadedAce.config.set("loadWorkerFromBlob", false);
loadedAce.config.set("workerPath", getURL("/javascripts/ace")); // Do not use CDN for workers
if (!this.element || this.isDestroying || this.isDestroyed) {
return;
}

3
lib/content_security_policy/default.rb
View File

@ -63,8 +63,7 @@ class ContentSecurityPolicy
def worker_src
[
"'self'",
"blob:",
"'self'", # For service worker
*script_assets(worker: true)
]
end

1
spec/lib/content_security_policy_spec.rb
View File

@ -37,7 +37,6 @@ describe ContentSecurityPolicy do
worker_srcs = parse(policy)['worker-src']
expect(worker_srcs).to eq(%w[
'self'
blob:
http://test.localhost/assets/
http://test.localhost/brotli_asset/
http://test.localhost/javascripts/