From 8ac85f54fb522faa4a45f97ea4e5dcff3b3b5249 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Fri, 14 Aug 2020 18:15:30 +0100
Subject: [PATCH] DEV: Remove blob: workers from CSP (#10440)

Ace editor is reconfigured to load workers directly from their JS URL. Workers must be on the same origin as the site, so they will not use the CDN.
---
 app/assets/javascripts/admin/components/ace-editor.js | 4 ++++
 lib/content_security_policy/default.rb                | 3 +--
 spec/lib/content_security_policy_spec.rb              | 1 -
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/assets/javascripts/admin/components/ace-editor.js b/app/assets/javascripts/admin/components/ace-editor.js
index 123193c0c0b..407b0fed603 100644
--- a/app/assets/javascripts/admin/components/ace-editor.js
+++ b/app/assets/javascripts/admin/components/ace-editor.js
@@ -1,5 +1,6 @@
 import Component from "@ember/component";
 import loadScript from "discourse/lib/load-script";
+import getURL from "discourse-common/lib/get-url";
 import { observes } from "discourse-common/utils/decorators";
 import { on } from "@ember/object/evented";
 
@@ -74,6 +75,9 @@ export default Component.extend({
 
     loadScript("/javascripts/ace/ace.js").then(() => {
       window.ace.require(["ace/ace"], loadedAce => {
+        loadedAce.config.set("loadWorkerFromBlob", false);
+        loadedAce.config.set("workerPath", getURL("/javascripts/ace")); // Do not use CDN for workers
+
         if (!this.element || this.isDestroying || this.isDestroyed) {
           return;
         }
diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index 43f076e022f..52a116c0650 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -63,8 +63,7 @@ class ContentSecurityPolicy
 
     def worker_src
       [
-        "'self'",
-        "blob:",
+        "'self'", # For service worker
         *script_assets(worker: true)
       ]
     end
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index d7b60eb0a13..04557e3900b 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -37,7 +37,6 @@ describe ContentSecurityPolicy do
       worker_srcs = parse(policy)['worker-src']
       expect(worker_srcs).to eq(%w[
         'self'
-        blob:
         http://test.localhost/assets/
         http://test.localhost/brotli_asset/
         http://test.localhost/javascripts/