Allow downloads and top navigation from sandboxed pages. Trying to make the wiki more sensible.
git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4817 ed5197a5-7fde-0310-b194-c3ffbd925b24
This commit is contained in:
parent
4bd46a1657
commit
81c66bdddd
10
core/core.js
10
core/core.js
@ -6,6 +6,8 @@ import * as http from './http.js';
|
|||||||
let gProcesses = {};
|
let gProcesses = {};
|
||||||
let gStatsTimer = false;
|
let gStatsTimer = false;
|
||||||
|
|
||||||
|
const k_content_security_policy = 'sandbox allow-downloads allow-top-navigation-by-user-activation';
|
||||||
|
|
||||||
const k_mime_types = {
|
const k_mime_types = {
|
||||||
'css': 'text/css',
|
'css': 'text/css',
|
||||||
'html': 'text/html',
|
'html': 'text/html',
|
||||||
@ -736,7 +738,7 @@ async function blobHandler(request, response, blobId, uri) {
|
|||||||
let match;
|
let match;
|
||||||
let query = form.decodeForm(request.query);
|
let query = form.decodeForm(request.query);
|
||||||
let headers = {
|
let headers = {
|
||||||
'Content-Security-Policy': 'sandbox',
|
'Content-Security-Policy': k_content_security_policy,
|
||||||
};
|
};
|
||||||
if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) {
|
if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) {
|
||||||
headers['Content-Disposition'] = `attachment; filename=${query.filename}`;
|
headers['Content-Disposition'] = `attachment; filename=${query.filename}`;
|
||||||
@ -893,13 +895,13 @@ async function blobHandler(request, response, blobId, uri) {
|
|||||||
}
|
}
|
||||||
sendData(response, answer?.data, answer?.content_type, Object.assign(answer?.headers ?? {}, {
|
sendData(response, answer?.data, answer?.content_type, Object.assign(answer?.headers ?? {}, {
|
||||||
'Access-Control-Allow-Origin': '*',
|
'Access-Control-Allow-Origin': '*',
|
||||||
'Content-Security-Policy': 'sandbox',
|
'Content-Security-Policy': k_content_security_policy,
|
||||||
}), answer.status_code);
|
}), answer.status_code);
|
||||||
} else if (id) {
|
} else if (id) {
|
||||||
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
|
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
|
||||||
let headers = {
|
let headers = {
|
||||||
'Access-Control-Allow-Origin': '*',
|
'Access-Control-Allow-Origin': '*',
|
||||||
'Content-Security-Policy': 'sandbox',
|
'Content-Security-Policy': k_content_security_policy,
|
||||||
'Content-Length': '0',
|
'Content-Length': '0',
|
||||||
};
|
};
|
||||||
response.writeHead(304, headers);
|
response.writeHead(304, headers);
|
||||||
@ -908,7 +910,7 @@ async function blobHandler(request, response, blobId, uri) {
|
|||||||
let headers = {
|
let headers = {
|
||||||
'ETag': '"' + id + '"',
|
'ETag': '"' + id + '"',
|
||||||
'Access-Control-Allow-Origin': '*',
|
'Access-Control-Allow-Origin': '*',
|
||||||
'Content-Security-Policy': 'sandbox',
|
'Content-Security-Policy': k_content_security_policy,
|
||||||
};
|
};
|
||||||
data = await getBlobOrContent(id);
|
data = await getBlobOrContent(id);
|
||||||
let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);
|
let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);
|
||||||
|
Loading…
Reference in New Issue
Block a user