Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

include '/plugins/' directory for script-src and blob for worker-src 

- plugins may include additional static JS assets
- ACE.js editor register a service worker with a blob for syntax
checking
This commit is contained in:
Kyle Zhao 2018-11-16 16:25:21 -05:00
parent e37c4a4525
commit 962fbd1ec7
2 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/content_security_policy.rb
View File

@ -37,7 +37,7 @@ class ContentSecurityPolicy
@request = request @request = request
@directives = { @directives = {
script_src: script_src, script_src: script_src,
worker_src: [:self], worker_src: [:self, :blob],
} }
@directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports @directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports
@ -68,6 +68,7 @@ class ContentSecurityPolicy
['/extra-locales/', false, false], ['/extra-locales/', false, false],
['/highlight-js/', false, true], ['/highlight-js/', false, true],
['/javascripts/', false, true], ['/javascripts/', false, true],
['/plugins/', false, true],
['/theme-javascripts/', false, true], ['/theme-javascripts/', false, true],
] ]

17
spec/lib/content_security_policy_spec.rb
View File

@ -13,8 +13,18 @@ describe ContentSecurityPolicy do
end end
end end
describe 'script-src defaults' do describe 'worker-src' do
it 'always have self, logster, sidekiq, and assets' do it 'always has self and blob' do
worker_srcs = parse(ContentSecurityPolicy.new.build)['worker-src']
expect(worker_srcs).to eq(%w[
'self'
blob:
])
end
end
describe 'script-src' do
it 'always has self, logster, sidekiq, and assets' do
script_srcs = parse(ContentSecurityPolicy.new.build)['script-src'] script_srcs = parse(ContentSecurityPolicy.new.build)['script-src']
expect(script_srcs).to eq(%w[ expect(script_srcs).to eq(%w[
'unsafe-eval' 'unsafe-eval'
@ -26,6 +36,7 @@ describe ContentSecurityPolicy do
http://test.localhost/extra-locales/ http://test.localhost/extra-locales/
http://test.localhost/highlight-js/ http://test.localhost/highlight-js/
http://test.localhost/javascripts/ http://test.localhost/javascripts/
http://test.localhost/plugins/
http://test.localhost/theme-javascripts/ http://test.localhost/theme-javascripts/
]) ])
end end
@ -48,6 +59,7 @@ describe ContentSecurityPolicy do
https://cdn.com/brotli_asset/ https://cdn.com/brotli_asset/
https://cdn.com/highlight-js/ https://cdn.com/highlight-js/
https://cdn.com/javascripts/ https://cdn.com/javascripts/
https://cdn.com/plugins/
https://cdn.com/theme-javascripts/ https://cdn.com/theme-javascripts/
http://test.localhost/extra-locales/ http://test.localhost/extra-locales/
]) ])
@ -60,6 +72,7 @@ describe ContentSecurityPolicy do
https://s3-cdn.com/brotli_asset/ https://s3-cdn.com/brotli_asset/
https://cdn.com/highlight-js/ https://cdn.com/highlight-js/
https://cdn.com/javascripts/ https://cdn.com/javascripts/
https://cdn.com/plugins/
https://cdn.com/theme-javascripts/ https://cdn.com/theme-javascripts/
http://test.localhost/extra-locales/ http://test.localhost/extra-locales/
]) ])