From 962fbd1ec7a7f9558988c7c67d50bd194160f76a Mon Sep 17 00:00:00 2001
From: Kyle Zhao <kzhao.sw@gmail.com>
Date: Fri, 16 Nov 2018 16:25:21 -0500
Subject: [PATCH] include '/plugins/' directory for script-src and blob for
 worker-src

- plugins may include additional static JS assets
- ACE.js editor register a service worker with a blob for syntax
checking
---
 lib/content_security_policy.rb           |  3 ++-
 spec/lib/content_security_policy_spec.rb | 17 +++++++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/lib/content_security_policy.rb b/lib/content_security_policy.rb
index b30beec8690..85000825b39 100644
--- a/lib/content_security_policy.rb
+++ b/lib/content_security_policy.rb
@@ -37,7 +37,7 @@ class ContentSecurityPolicy
     @request = request
     @directives = {
       script_src: script_src,
-      worker_src: [:self],
+      worker_src: [:self, :blob],
     }
 
     @directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports
@@ -68,6 +68,7 @@ class ContentSecurityPolicy
     ['/extra-locales/',      false, false],
     ['/highlight-js/',       false, true],
     ['/javascripts/',        false, true],
+    ['/plugins/',            false, true],
     ['/theme-javascripts/',  false, true],
   ]
 
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index a73082ac7df..af4311fa2dc 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -13,8 +13,18 @@ describe ContentSecurityPolicy do
     end
   end
 
-  describe 'script-src defaults' do
-    it 'always have self, logster, sidekiq, and assets' do
+  describe 'worker-src' do
+    it 'always has self and blob' do
+      worker_srcs = parse(ContentSecurityPolicy.new.build)['worker-src']
+      expect(worker_srcs).to eq(%w[
+        'self'
+        blob:
+      ])
+    end
+  end
+
+  describe 'script-src' do
+    it 'always has self, logster, sidekiq, and assets' do
       script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
       expect(script_srcs).to eq(%w[
         'unsafe-eval'
@@ -26,6 +36,7 @@ describe ContentSecurityPolicy do
         http://test.localhost/extra-locales/
         http://test.localhost/highlight-js/
         http://test.localhost/javascripts/
+        http://test.localhost/plugins/
         http://test.localhost/theme-javascripts/
       ])
     end
@@ -48,6 +59,7 @@ describe ContentSecurityPolicy do
         https://cdn.com/brotli_asset/
         https://cdn.com/highlight-js/
         https://cdn.com/javascripts/
+        https://cdn.com/plugins/
         https://cdn.com/theme-javascripts/
         http://test.localhost/extra-locales/
       ])
@@ -60,6 +72,7 @@ describe ContentSecurityPolicy do
         https://s3-cdn.com/brotli_asset/
         https://cdn.com/highlight-js/
         https://cdn.com/javascripts/
+        https://cdn.com/plugins/
         https://cdn.com/theme-javascripts/
         http://test.localhost/extra-locales/
       ])