Today I discovered the "Content-Security-Policy: sandbox" header.
git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4298 ed5197a5-7fde-0310-b194-c3ffbd925b24
This commit is contained in:
70
core/core.js
70
core/core.js
@@ -16,13 +16,6 @@ const k_mime_types = {
|
||||
'svg': 'image/svg+xml',
|
||||
};
|
||||
|
||||
const k_mime_type_is_trusted = {
|
||||
'application/json': true,
|
||||
'text/css': true,
|
||||
'text/javascript': true,
|
||||
'text/json': true,
|
||||
};
|
||||
|
||||
const k_magic_bytes = [
|
||||
{bytes: [0xff, 0xd8, 0xff, 0xdb], type: 'image/jpeg'},
|
||||
{bytes: [0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01], type: 'image/jpeg'},
|
||||
@@ -573,13 +566,6 @@ function guessTypeFromMagicBytes(data) {
|
||||
}
|
||||
}
|
||||
|
||||
function guessTypeUntrusted(path, data) {
|
||||
let type = guessTypeFromMagicBytes(data) || guessTypeFromName(path);
|
||||
if (k_mime_type_is_trusted[type]) {
|
||||
return type;
|
||||
}
|
||||
}
|
||||
|
||||
function sendData(response, data, type, headers) {
|
||||
if (data) {
|
||||
response.writeHead(200, Object.assign({"Content-Type": type || guessTypeFromMagicBytes(data) || "application/binary", "Content-Length": data.byteLength}, headers || {}));
|
||||
@@ -742,44 +728,38 @@ async function blobHandler(request, response, blobId, uri) {
|
||||
response.end('OK');
|
||||
} else {
|
||||
let data;
|
||||
let type;
|
||||
let headers;
|
||||
let match;
|
||||
let id;
|
||||
if (match = /^\/\~(\w+)\/(\w+)$/.exec(blobId)) {
|
||||
let db = new Database(match[1]);
|
||||
let id = await db.get('path:' + match[2]);
|
||||
if (id) {
|
||||
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
|
||||
headers = {
|
||||
'Access-Control-Allow-Origin': '*',
|
||||
};
|
||||
response.writeHead(304, headers);
|
||||
response.end();
|
||||
} else {
|
||||
data = utf8Decode(await getBlobOrContent(id));
|
||||
let appObject = JSON.parse(data);
|
||||
data = appObject.files[uri.substring(1)];
|
||||
data = await getBlobOrContent(data);
|
||||
type = guessTypeUntrusted(uri, data);
|
||||
headers = {
|
||||
'ETag': '"' + id + '"',
|
||||
'Access-Control-Allow-Origin': '*',
|
||||
};
|
||||
sendData(response, data, type, headers);
|
||||
}
|
||||
let app_id = await db.get('path:' + match[2]);
|
||||
let app_object = JSON.parse(utf8Decode(await getBlobOrContent(app_id)));
|
||||
id = app_object.files[uri.substring(1)];
|
||||
} else {
|
||||
let app_object = JSON.parse(utf8Decode(await getBlobOrContent(blobId)));
|
||||
id = app_object.files[uri.substring(1)];
|
||||
}
|
||||
|
||||
if (id) {
|
||||
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
|
||||
let headers = {
|
||||
'Access-Control-Allow-Origin': '*',
|
||||
'Content-Security-Policy': 'sandbox',
|
||||
};
|
||||
response.writeHead(304, headers);
|
||||
response.end();
|
||||
} else {
|
||||
let headers = {
|
||||
'ETag': '"' + id + '"',
|
||||
'Access-Control-Allow-Origin': '*',
|
||||
'Content-Security-Policy': 'sandbox',
|
||||
};
|
||||
data = await getBlobOrContent(id);
|
||||
let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);
|
||||
sendData(response, data, type, headers);
|
||||
}
|
||||
} else {
|
||||
data = utf8Decode(await getBlobOrContent(blobId));
|
||||
let appObject = JSON.parse(data);
|
||||
data = appObject.files[uri.substring(1)];
|
||||
data = await getBlobOrContent(data);
|
||||
headers = {
|
||||
'Access-Control-Allow-Origin': '*',
|
||||
};
|
||||
type = guessTypeUntrusted(uri, data);
|
||||
sendData(response, data, type, headers);
|
||||
sendData(response, data, type, {});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user