Today I discovered the "Content-Security-Policy: sandbox" header.

git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4298 ed5197a5-7fde-0310-b194-c3ffbd925b24
This commit is contained in:
Cory McWilliams 2023-05-14 19:46:01 +00:00
parent c807e21c6b
commit 5b8bdbb3e4

View File

@ -16,13 +16,6 @@ const k_mime_types = {
'svg': 'image/svg+xml',
};
const k_mime_type_is_trusted = {
'application/json': true,
'text/css': true,
'text/javascript': true,
'text/json': true,
};
const k_magic_bytes = [
{bytes: [0xff, 0xd8, 0xff, 0xdb], type: 'image/jpeg'},
{bytes: [0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01], type: 'image/jpeg'},
@ -573,13 +566,6 @@ function guessTypeFromMagicBytes(data) {
}
}
function guessTypeUntrusted(path, data) {
let type = guessTypeFromMagicBytes(data) || guessTypeFromName(path);
if (k_mime_type_is_trusted[type]) {
return type;
}
}
function sendData(response, data, type, headers) {
if (data) {
response.writeHead(200, Object.assign({"Content-Type": type || guessTypeFromMagicBytes(data) || "application/binary", "Content-Length": data.byteLength}, headers || {}));
@ -742,44 +728,38 @@ async function blobHandler(request, response, blobId, uri) {
response.end('OK');
} else {
let data;
let type;
let headers;
let match;
let id;
if (match = /^\/\~(\w+)\/(\w+)$/.exec(blobId)) {
let db = new Database(match[1]);
let id = await db.get('path:' + match[2]);
if (id) {
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
headers = {
'Access-Control-Allow-Origin': '*',
};
response.writeHead(304, headers);
response.end();
} else {
data = utf8Decode(await getBlobOrContent(id));
let appObject = JSON.parse(data);
data = appObject.files[uri.substring(1)];
data = await getBlobOrContent(data);
type = guessTypeUntrusted(uri, data);
headers = {
'ETag': '"' + id + '"',
'Access-Control-Allow-Origin': '*',
};
sendData(response, data, type, headers);
}
let app_id = await db.get('path:' + match[2]);
let app_object = JSON.parse(utf8Decode(await getBlobOrContent(app_id)));
id = app_object.files[uri.substring(1)];
} else {
let app_object = JSON.parse(utf8Decode(await getBlobOrContent(blobId)));
id = app_object.files[uri.substring(1)];
}
if (id) {
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
let headers = {
'Access-Control-Allow-Origin': '*',
'Content-Security-Policy': 'sandbox',
};
response.writeHead(304, headers);
response.end();
} else {
let headers = {
'ETag': '"' + id + '"',
'Access-Control-Allow-Origin': '*',
'Content-Security-Policy': 'sandbox',
};
data = await getBlobOrContent(id);
let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);
sendData(response, data, type, headers);
}
} else {
data = utf8Decode(await getBlobOrContent(blobId));
let appObject = JSON.parse(data);
data = appObject.files[uri.substring(1)];
data = await getBlobOrContent(data);
headers = {
'Access-Control-Allow-Origin': '*',
};
type = guessTypeUntrusted(uri, data);
sendData(response, data, type, headers);
sendData(response, data, type, {});
}
}
}