From 2ca08d21e4c706d74a02c6144aea394256291d5f Mon Sep 17 00:00:00 2001
From: Cory McWilliams <cory@unprompted.com>
Date: Wed, 17 May 2023 18:57:56 +0000
Subject: [PATCH] I broke magic byte detection, and missed some
 Content-Security-Policy opportunities.

git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4304 ed5197a5-7fde-0310-b194-c3ffbd925b24
---
 core/core.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/core/core.js b/core/core.js
index a55f2c9b..cf8759ac 100644
--- a/core/core.js
+++ b/core/core.js
@@ -473,7 +473,7 @@ function startsWithBytes(data, bytes) {
 	if (data.byteLength >= bytes.length) {
 		let dataBytes = new Uint8Array(data.slice(0, bytes.length));
 		for (let i = 0; i < bytes.length; i++) {
-			if (dataBytes[i] != bytes[i] && bytes[i] !== null) {
+			if (dataBytes[i] !== bytes[i] && bytes[i] !== null) {
 				return;
 			}
 		}
@@ -561,7 +561,7 @@ function guessTypeFromName(path) {
 function guessTypeFromMagicBytes(data) {
 	for (let magic of k_magic_bytes) {
 		if (startsWithBytes(data, magic.bytes)) {
-			return magic.content_type;
+			return magic.type;
 		}
 	}
 }
@@ -621,7 +621,9 @@ async function blobHandler(request, response, blobId, uri) {
 		let data;
 		let match;
 		let query = form.decodeForm(request.query);
-		let headers = {};
+		let headers = {
+			'Content-Security-Policy': 'sandbox',
+		};
 		if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) {
 			headers['Content-Disposition'] = `attachment; filename=${query.filename}`;
 		}