From 5b8bdbb3e488f352a44d9c36b7311be0b354e888 Mon Sep 17 00:00:00 2001 From: Cory McWilliams Date: Sun, 14 May 2023 19:46:01 +0000 Subject: [PATCH] Today I discovered the "Content-Security-Policy: sandbox" header. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4298 ed5197a5-7fde-0310-b194-c3ffbd925b24 --- core/core.js | 70 +++++++++++++++++++--------------------------------- 1 file changed, 25 insertions(+), 45 deletions(-) diff --git a/core/core.js b/core/core.js index cec9a20d..d95779e6 100644 --- a/core/core.js +++ b/core/core.js @@ -16,13 +16,6 @@ const k_mime_types = { 'svg': 'image/svg+xml', }; -const k_mime_type_is_trusted = { - 'application/json': true, - 'text/css': true, - 'text/javascript': true, - 'text/json': true, -}; - const k_magic_bytes = [ {bytes: [0xff, 0xd8, 0xff, 0xdb], type: 'image/jpeg'}, {bytes: [0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01], type: 'image/jpeg'}, @@ -573,13 +566,6 @@ function guessTypeFromMagicBytes(data) { } } -function guessTypeUntrusted(path, data) { - let type = guessTypeFromMagicBytes(data) || guessTypeFromName(path); - if (k_mime_type_is_trusted[type]) { - return type; - } -} - function sendData(response, data, type, headers) { if (data) { response.writeHead(200, Object.assign({"Content-Type": type || guessTypeFromMagicBytes(data) || "application/binary", "Content-Length": data.byteLength}, headers || {})); @@ -742,44 +728,38 @@ async function blobHandler(request, response, blobId, uri) { response.end('OK'); } else { let data; - let type; - let headers; let match; + let id; if (match = /^\/\~(\w+)\/(\w+)$/.exec(blobId)) { let db = new Database(match[1]); - let id = await db.get('path:' + match[2]); - if (id) { - if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') { - headers = { - 'Access-Control-Allow-Origin': '*', - }; - response.writeHead(304, headers); - response.end(); - } else { - data = utf8Decode(await getBlobOrContent(id)); - let appObject = JSON.parse(data); - data = appObject.files[uri.substring(1)]; - data = await getBlobOrContent(data); - type = guessTypeUntrusted(uri, data); - headers = { - 'ETag': '"' + id + '"', - 'Access-Control-Allow-Origin': '*', - }; - sendData(response, data, type, headers); - } + let app_id = await db.get('path:' + match[2]); + let app_object = JSON.parse(utf8Decode(await getBlobOrContent(app_id))); + id = app_object.files[uri.substring(1)]; + } else { + let app_object = JSON.parse(utf8Decode(await getBlobOrContent(blobId))); + id = app_object.files[uri.substring(1)]; + } + + if (id) { + if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') { + let headers = { + 'Access-Control-Allow-Origin': '*', + 'Content-Security-Policy': 'sandbox', + }; + response.writeHead(304, headers); + response.end(); } else { + let headers = { + 'ETag': '"' + id + '"', + 'Access-Control-Allow-Origin': '*', + 'Content-Security-Policy': 'sandbox', + }; + data = await getBlobOrContent(id); + let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data); sendData(response, data, type, headers); } } else { - data = utf8Decode(await getBlobOrContent(blobId)); - let appObject = JSON.parse(data); - data = appObject.files[uri.substring(1)]; - data = await getBlobOrContent(data); - headers = { - 'Access-Control-Allow-Origin': '*', - }; - type = guessTypeUntrusted(uri, data); - sendData(response, data, type, headers); + sendData(response, data, type, {}); } } }