From 81c66bdddd4801d5cfb9094d7ac59e0a258c5af0 Mon Sep 17 00:00:00 2001 From: Cory McWilliams Date: Mon, 29 Jan 2024 00:00:20 +0000 Subject: [PATCH] Allow downloads and top navigation from sandboxed pages. Trying to make the wiki more sensible. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4817 ed5197a5-7fde-0310-b194-c3ffbd925b24 --- core/core.js | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/core/core.js b/core/core.js index 78a71de3..90af4b36 100644 --- a/core/core.js +++ b/core/core.js @@ -6,6 +6,8 @@ import * as http from './http.js'; let gProcesses = {}; let gStatsTimer = false; +const k_content_security_policy = 'sandbox allow-downloads allow-top-navigation-by-user-activation'; + const k_mime_types = { 'css': 'text/css', 'html': 'text/html', @@ -736,7 +738,7 @@ async function blobHandler(request, response, blobId, uri) { let match; let query = form.decodeForm(request.query); let headers = { - 'Content-Security-Policy': 'sandbox', + 'Content-Security-Policy': k_content_security_policy, }; if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) { headers['Content-Disposition'] = `attachment; filename=${query.filename}`; @@ -893,13 +895,13 @@ async function blobHandler(request, response, blobId, uri) { } sendData(response, answer?.data, answer?.content_type, Object.assign(answer?.headers ?? {}, { 'Access-Control-Allow-Origin': '*', - 'Content-Security-Policy': 'sandbox', + 'Content-Security-Policy': k_content_security_policy, }), answer.status_code); } else if (id) { if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') { let headers = { 'Access-Control-Allow-Origin': '*', - 'Content-Security-Policy': 'sandbox', + 'Content-Security-Policy': k_content_security_policy, 'Content-Length': '0', }; response.writeHead(304, headers); @@ -908,7 +910,7 @@ async function blobHandler(request, response, blobId, uri) { let headers = { 'ETag': '"' + id + '"', 'Access-Control-Allow-Origin': '*', - 'Content-Security-Policy': 'sandbox', + 'Content-Security-Policy': k_content_security_policy, }; data = await getBlobOrContent(id); let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);