cory/tildefriends
4
5
Fork 1
Code Issues 31 Pull Requests 1 Actions Releases 24 Wiki Activity

Allow downloads and top navigation from sandboxed pages. Trying to make the wiki more sensible.

Browse Source 
git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4817 ed5197a5-7fde-0310-b194-c3ffbd925b24
This commit is contained in:
Cory McWilliams 2024-01-29 00:00:20 +00:00
parent 4bd46a1657
commit 81c66bdddd
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
core/core.js
View File

@ -6,6 +6,8 @@ import * as http from './http.js';
let gProcesses = {}; let gProcesses = {};
let gStatsTimer = false; let gStatsTimer = false;
const k_content_security_policy = 'sandbox allow-downloads allow-top-navigation-by-user-activation';
const k_mime_types = { const k_mime_types = {
'css': 'text/css', 'css': 'text/css',
'html': 'text/html', 'html': 'text/html',
@ -736,7 +738,7 @@ async function blobHandler(request, response, blobId, uri) {
let match; let match;
let query = form.decodeForm(request.query); let query = form.decodeForm(request.query);
let headers = { let headers = {
'Content-Security-Policy': 'sandbox', 'Content-Security-Policy': k_content_security_policy,
}; };
if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) { if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) {
headers['Content-Disposition'] = `attachment; filename=${query.filename}`; headers['Content-Disposition'] = `attachment; filename=${query.filename}`;
@ -893,13 +895,13 @@ async function blobHandler(request, response, blobId, uri) {
} }
sendData(response, answer?.data, answer?.content_type, Object.assign(answer?.headers ?? {}, { sendData(response, answer?.data, answer?.content_type, Object.assign(answer?.headers ?? {}, {
'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Origin': '*',
'Content-Security-Policy': 'sandbox', 'Content-Security-Policy': k_content_security_policy,
}), answer.status_code); }), answer.status_code);
} else if (id) { } else if (id) {
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') { if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
let headers = { let headers = {
'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Origin': '*',
'Content-Security-Policy': 'sandbox', 'Content-Security-Policy': k_content_security_policy,
'Content-Length': '0', 'Content-Length': '0',
}; };
response.writeHead(304, headers); response.writeHead(304, headers);
@ -908,7 +910,7 @@ async function blobHandler(request, response, blobId, uri) {
let headers = { let headers = {
'ETag': '"' + id + '"', 'ETag': '"' + id + '"',
'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Origin': '*',
'Content-Security-Policy': 'sandbox', 'Content-Security-Policy': k_content_security_policy,
}; };
data = await getBlobOrContent(id); data = await getBlobOrContent(id);
let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data); let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);