gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #426 from FreeCodeCamp/staging

Browse Source 
Fix for csp violations across all browsers and strange asset loading timing.
This commit is contained in:
Quincy Larson
2015-05-06 15:27:09 -07:00
parent c61e3c8ed2 ceb5c23be2
commit f97dc0e35c
6 changed files with 31 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
app.js
View File

@ -125,6 +125,7 @@ app.use(function(req, res, next) {
var trusted = [ var trusted = [
"'self'", "'self'",
'blob:',
'*.freecodecamp.com', '*.freecodecamp.com',
'*.gstatic.com', '*.gstatic.com',
'*.google-analytics.com', '*.google-analytics.com',
@ -137,7 +138,6 @@ var trusted = [
'*.twimg.com', '*.twimg.com',
"'unsafe-eval'", "'unsafe-eval'",
"'unsafe-inline'", "'unsafe-inline'",
'*.rafflecopter.com',
'*.bootstrapcdn.com', '*.bootstrapcdn.com',
'*.cloudflare.com', '*.cloudflare.com',
'https://*.cloudflare.com', 'https://*.cloudflare.com',
@ -152,11 +152,7 @@ var trusted = [
'*.youtube.com', '*.youtube.com',
'*.jsdelivr.net', '*.jsdelivr.net',
'https://*.jsdelivr.net', 'https://*.jsdelivr.net',
'*.togetherjs.com',
'https://*.togetherjs.com',
'wss://hub.togetherjs.com',
'*.ytimg.com', '*.ytimg.com',
'wss://fcctogether.herokuapp.com',
'*.bitly.com', '*.bitly.com',
'http://cdn.inspectlet.com/', 'http://cdn.inspectlet.com/',
'http://hn.inspectlet.com/' 'http://hn.inspectlet.com/'
@ -170,24 +166,11 @@ app.use(helmet.contentSecurityPolicy({
'*.d3js.org' '*.d3js.org'
].concat(trusted), ].concat(trusted),
'connect-src': [ 'connect-src': [
'ws://*.rafflecopter.com', 'ws://www.freecodecamp.com'
'wss://*.rafflecopter.com',
'https://*.rafflecopter.com',
'ws://www.freecodecamp.com',
'http://www.freecodecamp.com'
].concat(trusted), ].concat(trusted),
styleSrc: trusted, styleSrc: trusted,
imgSrc: [ imgSrc: [
'*.evernote.com', /* allow all input since we have user submitted images for public profile*/
'*.amazonaws.com',
'data:',
'*.licdn.com',
'*.gravatar.com',
'*.akamaihd.net',
'graph.facebook.com',
'*.githubusercontent.com',
'*.googleusercontent.com',
/* allow all input since we have user submitted images for public profile*/
'*' '*'
].concat(trusted), ].concat(trusted),
fontSrc: ['*.googleapis.com'].concat(trusted), fontSrc: ['*.googleapis.com'].concat(trusted),
@ -200,7 +183,6 @@ app.use(helmet.contentSecurityPolicy({
'*.gitter.im https:', '*.gitter.im https:',
'*.vimeo.com', '*.vimeo.com',
'*.twitter.com', '*.twitter.com',
'*.rafflecopter.com',
'*.ghbtns.com' '*.ghbtns.com'
].concat(trusted), ].concat(trusted),
reportOnly: false, // set to true if you only want to report errors reportOnly: false, // set to true if you only want to report errors
@ -214,6 +196,8 @@ app.use(function (req, res, next) {
next(); next();
}); });
app.use(express.static(__dirname + '/public', {maxAge: 86400000 }));
app.use(function (req, res, next) { app.use(function (req, res, next) {
// Remember original destination before login. // Remember original destination before login.
var path = req.path.split('/')[1]; var path = req.path.split('/')[1];
@ -225,9 +209,6 @@ app.use(function (req, res, next) {
req.session.returnTo = req.path; req.session.returnTo = req.path;
next(); next();
}); });
app.use(express.static(__dirname + '/public', {maxAge: 86400000 }));
app.use('/template', express.static(__dirname +
'/public/bower_components/angular-ui-bootstrap/template'));
/** /**
* Main routes. * Main routes.

2
controllers/user.js
View File

@ -10,8 +10,6 @@ var _ = require('lodash'),
resources = require('./resources'), resources = require('./resources'),
R = require('ramda'); R = require('ramda');
/** /**
* GET /signin * GET /signin
* Siginin page. * Siginin page.

2
public/js/lib/jailed/_frame.html
View File

@ -1 +1 @@
<script src="_frame.js"></script> <script sandbox="allow-same-origin allow-scripts" src="_frame.js"></script>

17
public/js/lib/jailed/_frame.js
View File

@ -24,12 +24,19 @@ var blobCode = [
' }); ' ' }); '
].join('\n'); ].join('\n');
var blobUrl = window.URL.createObjectURL( var blobUrl;
new Blob([blobCode]) try {
); blobUrl = new Blob([blobCode], {type: 'application/javascript'});
} catch (e) {
window.BlobBuilder = window.BlobBuilder
|| window.WebKitBlobBuilder
|| window.MozBlobBuilder;
blobUrl = new BlobBuilder();
blobUrl.append(blobCode);
blobUrl = blobUrl.getBlob();
}
var worker = new Worker(URL.createObjectURL(blobUrl));
var worker = new Worker(blobUrl);
// telling worker to load _pluginWeb.js (see blob code above) // telling worker to load _pluginWeb.js (see blob code above)
worker.postMessage({ worker.postMessage({

22
views/bonfire/show.jade
View File

@ -1,21 +1,21 @@
extends ../layout-wide extends ../layout-wide
block content block content
script(src='/js/lib/codemirror/lib/codemirror.js') script(type='text/javascript', src='/js/lib/codemirror/lib/codemirror.js')
script(src='/js/lib/codemirror/addon/edit/closebrackets.js') script(type='text/javascript', src='/js/lib/codemirror/addon/edit/closebrackets.js')
script(src='/js/lib/codemirror/addon/edit/matchbrackets.js') script(type='text/javascript', src='/js/lib/codemirror/addon/edit/matchbrackets.js')
script(src='/js/lib/codemirror/addon/lint/lint.js') script(type='text/javascript', src='/js/lib/codemirror/addon/lint/lint.js')
script(src='/js/lib/codemirror/addon/lint/javascript-lint.js') script(type='text/javascript', src='/js/lib/codemirror/addon/lint/javascript-lint.js')
script(src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js') script(type='text/javascript', src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js')
script(src='/js/lib/chai/chai.js') script(type='text/javascript', src='/js/lib/chai/chai.js')
link(rel='stylesheet', href='/js/lib/codemirror/lib/codemirror.css') link(rel='stylesheet', href='/js/lib/codemirror/lib/codemirror.css')
link(rel='stylesheet', href='/js/lib/codemirror/addon/lint/lint.css') link(rel='stylesheet', href='/js/lib/codemirror/addon/lint/lint.css')
link(rel='stylesheet', href='/js/lib/codemirror/theme/monokai.css') link(rel='stylesheet', href='/js/lib/codemirror/theme/monokai.css')
link(rel="stylesheet", href="http://fonts.googleapis.com/css?family=Ubuntu+Mono") link(rel="stylesheet", href="http://fonts.googleapis.com/css?family=Ubuntu+Mono")
script(src='/js/lib/codemirror/mode/javascript/javascript.js') script(type='text/javascript', src='/js/lib/codemirror/mode/javascript/javascript.js')
script(src='/js/lib/jailed/jailed.js') script(type='text/javascript', src='/js/lib/jailed/jailed.js')
script(src='/js/lib/bonfire/bonfireInit.js') script(type='text/javascript', src='/js/lib/bonfire/bonfireInit.js')
script(src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js") script(type='text/javascript', src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js")
.row .row

2
views/partials/universal-head.jade
View File

@ -34,6 +34,8 @@ script.
// Leave alone below // Leave alone below
script(src="/js/main.js") script(src="/js/main.js")
script(src="/bower_components/angular-bootstrap/ui-bootstrap-tpls.min.js")
link(rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Lato:400|Inconsolata") link(rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Lato:400|Inconsolata")
link(rel="stylesheet" type="text/css" href="/bower_components/cal-heatmap/cal-heatmap.css") link(rel="stylesheet" type="text/css" href="/bower_components/cal-heatmap/cal-heatmap.css")