gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #426 from FreeCodeCamp/staging

Browse Source 
Fix for csp violations across all browsers and strange asset loading timing.
This commit is contained in:
Quincy Larson
2015-05-06 15:27:09 -07:00
parent c61e3c8ed2 ceb5c23be2
commit f97dc0e35c
6 changed files with 31 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
app.js
View File

@ -125,6 +125,7 @@ app.use(function(req, res, next) {
var trusted = [
"'self'",
'blob:',
'*.freecodecamp.com',
'*.gstatic.com',
'*.google-analytics.com',
@ -137,7 +138,6 @@ var trusted = [
'*.twimg.com',
"'unsafe-eval'",
"'unsafe-inline'",
'*.rafflecopter.com',
'*.bootstrapcdn.com',
'*.cloudflare.com',
'https://*.cloudflare.com',
@ -152,11 +152,7 @@ var trusted = [
'*.youtube.com',
'*.jsdelivr.net',
'https://*.jsdelivr.net',
'*.togetherjs.com',
'https://*.togetherjs.com',
'wss://hub.togetherjs.com',
'*.ytimg.com',
'wss://fcctogether.herokuapp.com',
'*.bitly.com',
'http://cdn.inspectlet.com/',
'http://hn.inspectlet.com/'
@ -170,24 +166,11 @@ app.use(helmet.contentSecurityPolicy({
'*.d3js.org'
].concat(trusted),
'connect-src': [
'ws://*.rafflecopter.com',
'wss://*.rafflecopter.com',
'https://*.rafflecopter.com',
'ws://www.freecodecamp.com',
'http://www.freecodecamp.com'
'ws://www.freecodecamp.com'
].concat(trusted),
styleSrc: trusted,
imgSrc: [
'*.evernote.com',
'*.amazonaws.com',
'data:',
'*.licdn.com',
'*.gravatar.com',
'*.akamaihd.net',
'graph.facebook.com',
'*.githubusercontent.com',
'*.googleusercontent.com',
/* allow all input since we have user submitted images for public profile*/
/* allow all input since we have user submitted images for public profile*/
'*'
].concat(trusted),
fontSrc: ['*.googleapis.com'].concat(trusted),
@ -200,7 +183,6 @@ app.use(helmet.contentSecurityPolicy({
'*.gitter.im https:',
'*.vimeo.com',
'*.twitter.com',
'*.rafflecopter.com',
'*.ghbtns.com'
].concat(trusted),
reportOnly: false, // set to true if you only want to report errors
@ -214,6 +196,8 @@ app.use(function (req, res, next) {
next();
});
app.use(express.static(__dirname + '/public', {maxAge: 86400000 }));
app.use(function (req, res, next) {
// Remember original destination before login.
var path = req.path.split('/')[1];
@ -225,9 +209,6 @@ app.use(function (req, res, next) {
req.session.returnTo = req.path;
next();
});
app.use(express.static(__dirname + '/public', {maxAge: 86400000 }));
app.use('/template', express.static(__dirname +
'/public/bower_components/angular-ui-bootstrap/template'));
/**
* Main routes.

2
controllers/user.js
View File

@ -10,8 +10,6 @@ var _ = require('lodash'),
resources = require('./resources'),
R = require('ramda');
/**
* GET /signin
* Siginin page.

2
public/js/lib/jailed/_frame.html
View File

@ -1 +1 @@
<script src="_frame.js"></script>
<script sandbox="allow-same-origin allow-scripts" src="_frame.js"></script>

17
public/js/lib/jailed/_frame.js
View File

@ -24,12 +24,19 @@ var blobCode = [
' }); '
].join('\n');
var blobUrl = window.URL.createObjectURL(
new Blob([blobCode])
);
var blobUrl;
try {
blobUrl = new Blob([blobCode], {type: 'application/javascript'});
} catch (e) {
window.BlobBuilder = window.BlobBuilder
|| window.WebKitBlobBuilder
|| window.MozBlobBuilder;
blobUrl = new BlobBuilder();
blobUrl.append(blobCode);
blobUrl = blobUrl.getBlob();
}
var worker = new Worker(blobUrl);
var worker = new Worker(URL.createObjectURL(blobUrl));
// telling worker to load _pluginWeb.js (see blob code above)
worker.postMessage({

22
views/bonfire/show.jade
View File

@ -1,21 +1,21 @@
extends ../layout-wide
block content
script(src='/js/lib/codemirror/lib/codemirror.js')
script(src='/js/lib/codemirror/addon/edit/closebrackets.js')
script(src='/js/lib/codemirror/addon/edit/matchbrackets.js')
script(src='/js/lib/codemirror/addon/lint/lint.js')
script(src='/js/lib/codemirror/addon/lint/javascript-lint.js')
script(src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js')
script(src='/js/lib/chai/chai.js')
script(type='text/javascript', src='/js/lib/codemirror/lib/codemirror.js')
script(type='text/javascript', src='/js/lib/codemirror/addon/edit/closebrackets.js')
script(type='text/javascript', src='/js/lib/codemirror/addon/edit/matchbrackets.js')
script(type='text/javascript', src='/js/lib/codemirror/addon/lint/lint.js')
script(type='text/javascript', src='/js/lib/codemirror/addon/lint/javascript-lint.js')
script(type='text/javascript', src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js')
script(type='text/javascript', src='/js/lib/chai/chai.js')
link(rel='stylesheet', href='/js/lib/codemirror/lib/codemirror.css')
link(rel='stylesheet', href='/js/lib/codemirror/addon/lint/lint.css')
link(rel='stylesheet', href='/js/lib/codemirror/theme/monokai.css')
link(rel="stylesheet", href="http://fonts.googleapis.com/css?family=Ubuntu+Mono")
script(src='/js/lib/codemirror/mode/javascript/javascript.js')
script(src='/js/lib/jailed/jailed.js')
script(src='/js/lib/bonfire/bonfireInit.js')
script(src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js")
script(type='text/javascript', src='/js/lib/codemirror/mode/javascript/javascript.js')
script(type='text/javascript', src='/js/lib/jailed/jailed.js')
script(type='text/javascript', src='/js/lib/bonfire/bonfireInit.js')
script(type='text/javascript', src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js")
.row

2
views/partials/universal-head.jade
View File

@ -34,6 +34,8 @@ script.
// Leave alone below
script(src="/js/main.js")
script(src="/bower_components/angular-bootstrap/ui-bootstrap-tpls.min.js")
link(rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Lato:400|Inconsolata")
link(rel="stylesheet" type="text/css" href="/bower_components/cal-heatmap/cal-heatmap.css")