From 72339f918350d200124d472fd1081d72c8cdb051 Mon Sep 17 00:00:00 2001 From: terakilobyte Date: Wed, 6 May 2015 14:06:10 -0400 Subject: [PATCH] Set correct mime type in jailed. Set correct types on script imports in bonfire/show. Open helmet up to potentially unsafe levels by allowing "* unsafe-inline" in scriptSrc. --- app.js | 5 ++++- public/js/lib/jailed/_frame.html | 2 +- public/js/lib/jailed/_frame.js | 17 ++++++++++++----- views/bonfire/show.jade | 22 +++++++++++----------- 4 files changed, 28 insertions(+), 18 deletions(-) diff --git a/app.js b/app.js index d7048557e4..ae3097df7b 100755 --- a/app.js +++ b/app.js @@ -115,6 +115,7 @@ app.disable('x-powered-by'); app.use(helmet.xssFilter()); app.use(helmet.noSniff()); app.use(helmet.xframe()); +/* app.use(function(req, res, next) { res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Headers', @@ -122,6 +123,7 @@ app.use(function(req, res, next) { ); next(); }); +*/ var trusted = [ "'self'", @@ -167,7 +169,8 @@ app.use(helmet.contentSecurityPolicy({ scriptSrc: [ '*.optimizely.com', '*.aspnetcdn.com', - '*.d3js.org' + '*.d3js.org', + "* 'unsafe-inline'" ].concat(trusted), 'connect-src': [ 'ws://*.rafflecopter.com', diff --git a/public/js/lib/jailed/_frame.html b/public/js/lib/jailed/_frame.html index 97d5bb947e..68b300d6e3 100644 --- a/public/js/lib/jailed/_frame.html +++ b/public/js/lib/jailed/_frame.html @@ -1 +1 @@ - + diff --git a/public/js/lib/jailed/_frame.js b/public/js/lib/jailed/_frame.js index edf1b51793..34046b89de 100644 --- a/public/js/lib/jailed/_frame.js +++ b/public/js/lib/jailed/_frame.js @@ -24,12 +24,19 @@ var blobCode = [ ' }); ' ].join('\n'); -var blobUrl = window.URL.createObjectURL( - new Blob([blobCode]) -); +var blobUrl; +try { + blobUrl = new Blob([blobCode], {type: 'application/javascript'}); +} catch (e) { + window.BlobBuilder = window.BlobBuilder + || window.WebKitBlobBuilder + || window.MozBlobBuilder; + blobUrl = new BlobBuilder(); + blobUrl.append(blobCode); + blobUrl = blobUrl.getBlob(); +} - -var worker = new Worker(blobUrl); +var worker = new Worker(URL.createObjectURL(blobUrl)); // telling worker to load _pluginWeb.js (see blob code above) worker.postMessage({ diff --git a/views/bonfire/show.jade b/views/bonfire/show.jade index d361cf2a5f..f2284d53a3 100644 --- a/views/bonfire/show.jade +++ b/views/bonfire/show.jade @@ -1,21 +1,21 @@ extends ../layout-wide block content - script(src='/js/lib/codemirror/lib/codemirror.js') - script(src='/js/lib/codemirror/addon/edit/closebrackets.js') - script(src='/js/lib/codemirror/addon/edit/matchbrackets.js') - script(src='/js/lib/codemirror/addon/lint/lint.js') - script(src='/js/lib/codemirror/addon/lint/javascript-lint.js') - script(src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js') - script(src='/js/lib/chai/chai.js') + script(type='text/javascript', src='/js/lib/codemirror/lib/codemirror.js') + script(type='text/javascript', src='/js/lib/codemirror/addon/edit/closebrackets.js') + script(type='text/javascript', src='/js/lib/codemirror/addon/edit/matchbrackets.js') + script(type='text/javascript', src='/js/lib/codemirror/addon/lint/lint.js') + script(type='text/javascript', src='/js/lib/codemirror/addon/lint/javascript-lint.js') + script(type='text/javascript', src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js') + script(type='text/javascript', src='/js/lib/chai/chai.js') link(rel='stylesheet', href='/js/lib/codemirror/lib/codemirror.css') link(rel='stylesheet', href='/js/lib/codemirror/addon/lint/lint.css') link(rel='stylesheet', href='/js/lib/codemirror/theme/monokai.css') link(rel="stylesheet", href="http://fonts.googleapis.com/css?family=Ubuntu+Mono") - script(src='/js/lib/codemirror/mode/javascript/javascript.js') - script(src='/js/lib/jailed/jailed.js') - script(src='/js/lib/bonfire/bonfireInit.js') - script(src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js") + script(type='text/javascript', src='/js/lib/codemirror/mode/javascript/javascript.js') + script(type='text/javascript', src='/js/lib/jailed/jailed.js') + script(type='text/javascript', src='/js/lib/bonfire/bonfireInit.js') + script(type='text/javascript', src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js") .row