From adaa3cdecef09dc925bebf83027d347c56ff2b65 Mon Sep 17 00:00:00 2001 From: terakilobyte Date: Wed, 6 May 2015 09:10:15 -0400 Subject: [PATCH 1/6] Remove template path, load correct javascript in universal header --- app.js | 5 ++--- controllers/user.js | 2 -- views/partials/universal-head.jade | 2 ++ 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/app.js b/app.js index 3aa08c3825..d7048557e4 100755 --- a/app.js +++ b/app.js @@ -214,6 +214,8 @@ app.use(function (req, res, next) { next(); }); +app.use(express.static(__dirname + '/public', {maxAge: 86400000 })); + app.use(function (req, res, next) { // Remember original destination before login. var path = req.path.split('/')[1]; @@ -225,9 +227,6 @@ app.use(function (req, res, next) { req.session.returnTo = req.path; next(); }); -app.use(express.static(__dirname + '/public', {maxAge: 86400000 })); -app.use('/template', express.static(__dirname + - '/public/bower_components/angular-ui-bootstrap/template')); /** * Main routes. diff --git a/controllers/user.js b/controllers/user.js index 43c8b908b4..ddb3ae7030 100644 --- a/controllers/user.js +++ b/controllers/user.js @@ -10,8 +10,6 @@ var _ = require('lodash'), resources = require('./resources'), R = require('ramda'); - - /** * GET /signin * Siginin page. diff --git a/views/partials/universal-head.jade b/views/partials/universal-head.jade index 08d62857a7..673c6fe58a 100644 --- a/views/partials/universal-head.jade +++ b/views/partials/universal-head.jade @@ -34,6 +34,8 @@ script. // Leave alone below script(src="/js/main.js") +script(src="/bower_components/angular-bootstrap/ui-bootstrap-tpls.min.js") + link(rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Lato:400|Inconsolata") link(rel="stylesheet" type="text/css" href="/bower_components/cal-heatmap/cal-heatmap.css") From 3919919dafd77cd43ec8dbf7e54a3f3d8d89ac75 Mon Sep 17 00:00:00 2001 From: terakilobyte Date: Wed, 6 May 2015 09:24:27 -0400 Subject: [PATCH 2/6] whitelist freecodecamp specifically in script src for helmet --- app.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app.js b/app.js index d7048557e4..7bb86ed8e3 100755 --- a/app.js +++ b/app.js @@ -126,6 +126,7 @@ app.use(function(req, res, next) { var trusted = [ "'self'", '*.freecodecamp.com', + 'http://www.freecodecamp.com/*', '*.gstatic.com', '*.google-analytics.com', '*.googleapis.com', @@ -167,7 +168,8 @@ app.use(helmet.contentSecurityPolicy({ scriptSrc: [ '*.optimizely.com', '*.aspnetcdn.com', - '*.d3js.org' + '*.d3js.org', + '*.freecodecamp.com' ].concat(trusted), 'connect-src': [ 'ws://*.rafflecopter.com', From 68420149b0b0cf9575e0d465842ef2c127fe8c96 Mon Sep 17 00:00:00 2001 From: terakilobyte Date: Wed, 6 May 2015 12:49:59 -0400 Subject: [PATCH 3/6] Revert "whitelist freecodecamp specifically in script src for helmet" This reverts commit 3919919dafd77cd43ec8dbf7e54a3f3d8d89ac75. --- app.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app.js b/app.js index 7bb86ed8e3..d7048557e4 100755 --- a/app.js +++ b/app.js @@ -126,7 +126,6 @@ app.use(function(req, res, next) { var trusted = [ "'self'", '*.freecodecamp.com', - 'http://www.freecodecamp.com/*', '*.gstatic.com', '*.google-analytics.com', '*.googleapis.com', @@ -168,8 +167,7 @@ app.use(helmet.contentSecurityPolicy({ scriptSrc: [ '*.optimizely.com', '*.aspnetcdn.com', - '*.d3js.org', - '*.freecodecamp.com' + '*.d3js.org' ].concat(trusted), 'connect-src': [ 'ws://*.rafflecopter.com', From 72339f918350d200124d472fd1081d72c8cdb051 Mon Sep 17 00:00:00 2001 From: terakilobyte Date: Wed, 6 May 2015 14:06:10 -0400 Subject: [PATCH 4/6] Set correct mime type in jailed. Set correct types on script imports in bonfire/show. Open helmet up to potentially unsafe levels by allowing "* unsafe-inline" in scriptSrc. --- app.js | 5 ++++- public/js/lib/jailed/_frame.html | 2 +- public/js/lib/jailed/_frame.js | 17 ++++++++++++----- views/bonfire/show.jade | 22 +++++++++++----------- 4 files changed, 28 insertions(+), 18 deletions(-) diff --git a/app.js b/app.js index d7048557e4..ae3097df7b 100755 --- a/app.js +++ b/app.js @@ -115,6 +115,7 @@ app.disable('x-powered-by'); app.use(helmet.xssFilter()); app.use(helmet.noSniff()); app.use(helmet.xframe()); +/* app.use(function(req, res, next) { res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Headers', @@ -122,6 +123,7 @@ app.use(function(req, res, next) { ); next(); }); +*/ var trusted = [ "'self'", @@ -167,7 +169,8 @@ app.use(helmet.contentSecurityPolicy({ scriptSrc: [ '*.optimizely.com', '*.aspnetcdn.com', - '*.d3js.org' + '*.d3js.org', + "* 'unsafe-inline'" ].concat(trusted), 'connect-src': [ 'ws://*.rafflecopter.com', diff --git a/public/js/lib/jailed/_frame.html b/public/js/lib/jailed/_frame.html index 97d5bb947e..68b300d6e3 100644 --- a/public/js/lib/jailed/_frame.html +++ b/public/js/lib/jailed/_frame.html @@ -1 +1 @@ - + diff --git a/public/js/lib/jailed/_frame.js b/public/js/lib/jailed/_frame.js index edf1b51793..34046b89de 100644 --- a/public/js/lib/jailed/_frame.js +++ b/public/js/lib/jailed/_frame.js @@ -24,12 +24,19 @@ var blobCode = [ ' }); ' ].join('\n'); -var blobUrl = window.URL.createObjectURL( - new Blob([blobCode]) -); +var blobUrl; +try { + blobUrl = new Blob([blobCode], {type: 'application/javascript'}); +} catch (e) { + window.BlobBuilder = window.BlobBuilder + || window.WebKitBlobBuilder + || window.MozBlobBuilder; + blobUrl = new BlobBuilder(); + blobUrl.append(blobCode); + blobUrl = blobUrl.getBlob(); +} - -var worker = new Worker(blobUrl); +var worker = new Worker(URL.createObjectURL(blobUrl)); // telling worker to load _pluginWeb.js (see blob code above) worker.postMessage({ diff --git a/views/bonfire/show.jade b/views/bonfire/show.jade index d361cf2a5f..f2284d53a3 100644 --- a/views/bonfire/show.jade +++ b/views/bonfire/show.jade @@ -1,21 +1,21 @@ extends ../layout-wide block content - script(src='/js/lib/codemirror/lib/codemirror.js') - script(src='/js/lib/codemirror/addon/edit/closebrackets.js') - script(src='/js/lib/codemirror/addon/edit/matchbrackets.js') - script(src='/js/lib/codemirror/addon/lint/lint.js') - script(src='/js/lib/codemirror/addon/lint/javascript-lint.js') - script(src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js') - script(src='/js/lib/chai/chai.js') + script(type='text/javascript', src='/js/lib/codemirror/lib/codemirror.js') + script(type='text/javascript', src='/js/lib/codemirror/addon/edit/closebrackets.js') + script(type='text/javascript', src='/js/lib/codemirror/addon/edit/matchbrackets.js') + script(type='text/javascript', src='/js/lib/codemirror/addon/lint/lint.js') + script(type='text/javascript', src='/js/lib/codemirror/addon/lint/javascript-lint.js') + script(type='text/javascript', src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js') + script(type='text/javascript', src='/js/lib/chai/chai.js') link(rel='stylesheet', href='/js/lib/codemirror/lib/codemirror.css') link(rel='stylesheet', href='/js/lib/codemirror/addon/lint/lint.css') link(rel='stylesheet', href='/js/lib/codemirror/theme/monokai.css') link(rel="stylesheet", href="http://fonts.googleapis.com/css?family=Ubuntu+Mono") - script(src='/js/lib/codemirror/mode/javascript/javascript.js') - script(src='/js/lib/jailed/jailed.js') - script(src='/js/lib/bonfire/bonfireInit.js') - script(src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js") + script(type='text/javascript', src='/js/lib/codemirror/mode/javascript/javascript.js') + script(type='text/javascript', src='/js/lib/jailed/jailed.js') + script(type='text/javascript', src='/js/lib/bonfire/bonfireInit.js') + script(type='text/javascript', src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js") .row From 77a15ed5911624ffc30077fec4ac4b7f104e1921 Mon Sep 17 00:00:00 2001 From: terakilobyte Date: Wed, 6 May 2015 18:14:00 -0400 Subject: [PATCH 5/6] Remove unsafe inline, add blob: to trusted sources for compatibility with webkit --- app.js | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/app.js b/app.js index ae3097df7b..521c8d2853 100755 --- a/app.js +++ b/app.js @@ -127,6 +127,7 @@ app.use(function(req, res, next) { var trusted = [ "'self'", + 'blob:', '*.freecodecamp.com', '*.gstatic.com', '*.google-analytics.com', @@ -139,7 +140,6 @@ var trusted = [ '*.twimg.com', "'unsafe-eval'", "'unsafe-inline'", - '*.rafflecopter.com', '*.bootstrapcdn.com', '*.cloudflare.com', 'https://*.cloudflare.com', @@ -154,11 +154,7 @@ var trusted = [ '*.youtube.com', '*.jsdelivr.net', 'https://*.jsdelivr.net', - '*.togetherjs.com', - 'https://*.togetherjs.com', - 'wss://hub.togetherjs.com', '*.ytimg.com', - 'wss://fcctogether.herokuapp.com', '*.bitly.com', 'http://cdn.inspectlet.com/', 'http://hn.inspectlet.com/' @@ -169,28 +165,14 @@ app.use(helmet.contentSecurityPolicy({ scriptSrc: [ '*.optimizely.com', '*.aspnetcdn.com', - '*.d3js.org', - "* 'unsafe-inline'" + '*.d3js.org' ].concat(trusted), 'connect-src': [ - 'ws://*.rafflecopter.com', - 'wss://*.rafflecopter.com', - 'https://*.rafflecopter.com', - 'ws://www.freecodecamp.com', - 'http://www.freecodecamp.com' + 'ws://www.freecodecamp.com' ].concat(trusted), styleSrc: trusted, imgSrc: [ - '*.evernote.com', - '*.amazonaws.com', - 'data:', - '*.licdn.com', - '*.gravatar.com', - '*.akamaihd.net', - 'graph.facebook.com', - '*.githubusercontent.com', - '*.googleusercontent.com', - /* allow all input since we have user submitted images for public profile*/ + /* allow all input since we have user submitted images for public profile*/ '*' ].concat(trusted), fontSrc: ['*.googleapis.com'].concat(trusted), @@ -203,7 +185,6 @@ app.use(helmet.contentSecurityPolicy({ '*.gitter.im https:', '*.vimeo.com', '*.twitter.com', - '*.rafflecopter.com', '*.ghbtns.com' ].concat(trusted), reportOnly: false, // set to true if you only want to report errors From ceb5c23be26bc824565b9d337f7a433388d23355 Mon Sep 17 00:00:00 2001 From: terakilobyte Date: Wed, 6 May 2015 18:17:01 -0400 Subject: [PATCH 6/6] re-add commented out master header section --- app.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/app.js b/app.js index 521c8d2853..5403278407 100755 --- a/app.js +++ b/app.js @@ -115,7 +115,6 @@ app.disable('x-powered-by'); app.use(helmet.xssFilter()); app.use(helmet.noSniff()); app.use(helmet.xframe()); -/* app.use(function(req, res, next) { res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Headers', @@ -123,7 +122,6 @@ app.use(function(req, res, next) { ); next(); }); -*/ var trusted = [ "'self'",