forked from cory/tildefriends
Today I discovered the "Content-Security-Policy: sandbox" header.
git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4298 ed5197a5-7fde-0310-b194-c3ffbd925b24
This commit is contained in:
parent
c807e21c6b
commit
5b8bdbb3e4
52
core/core.js
52
core/core.js
@ -16,13 +16,6 @@ const k_mime_types = {
|
|||||||
'svg': 'image/svg+xml',
|
'svg': 'image/svg+xml',
|
||||||
};
|
};
|
||||||
|
|
||||||
const k_mime_type_is_trusted = {
|
|
||||||
'application/json': true,
|
|
||||||
'text/css': true,
|
|
||||||
'text/javascript': true,
|
|
||||||
'text/json': true,
|
|
||||||
};
|
|
||||||
|
|
||||||
const k_magic_bytes = [
|
const k_magic_bytes = [
|
||||||
{bytes: [0xff, 0xd8, 0xff, 0xdb], type: 'image/jpeg'},
|
{bytes: [0xff, 0xd8, 0xff, 0xdb], type: 'image/jpeg'},
|
||||||
{bytes: [0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01], type: 'image/jpeg'},
|
{bytes: [0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01], type: 'image/jpeg'},
|
||||||
@ -573,13 +566,6 @@ function guessTypeFromMagicBytes(data) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function guessTypeUntrusted(path, data) {
|
|
||||||
let type = guessTypeFromMagicBytes(data) || guessTypeFromName(path);
|
|
||||||
if (k_mime_type_is_trusted[type]) {
|
|
||||||
return type;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
function sendData(response, data, type, headers) {
|
function sendData(response, data, type, headers) {
|
||||||
if (data) {
|
if (data) {
|
||||||
response.writeHead(200, Object.assign({"Content-Type": type || guessTypeFromMagicBytes(data) || "application/binary", "Content-Length": data.byteLength}, headers || {}));
|
response.writeHead(200, Object.assign({"Content-Type": type || guessTypeFromMagicBytes(data) || "application/binary", "Content-Length": data.byteLength}, headers || {}));
|
||||||
@ -742,44 +728,38 @@ async function blobHandler(request, response, blobId, uri) {
|
|||||||
response.end('OK');
|
response.end('OK');
|
||||||
} else {
|
} else {
|
||||||
let data;
|
let data;
|
||||||
let type;
|
|
||||||
let headers;
|
|
||||||
let match;
|
let match;
|
||||||
|
let id;
|
||||||
if (match = /^\/\~(\w+)\/(\w+)$/.exec(blobId)) {
|
if (match = /^\/\~(\w+)\/(\w+)$/.exec(blobId)) {
|
||||||
let db = new Database(match[1]);
|
let db = new Database(match[1]);
|
||||||
let id = await db.get('path:' + match[2]);
|
let app_id = await db.get('path:' + match[2]);
|
||||||
|
let app_object = JSON.parse(utf8Decode(await getBlobOrContent(app_id)));
|
||||||
|
id = app_object.files[uri.substring(1)];
|
||||||
|
} else {
|
||||||
|
let app_object = JSON.parse(utf8Decode(await getBlobOrContent(blobId)));
|
||||||
|
id = app_object.files[uri.substring(1)];
|
||||||
|
}
|
||||||
|
|
||||||
if (id) {
|
if (id) {
|
||||||
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
|
if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
|
||||||
headers = {
|
let headers = {
|
||||||
'Access-Control-Allow-Origin': '*',
|
'Access-Control-Allow-Origin': '*',
|
||||||
|
'Content-Security-Policy': 'sandbox',
|
||||||
};
|
};
|
||||||
response.writeHead(304, headers);
|
response.writeHead(304, headers);
|
||||||
response.end();
|
response.end();
|
||||||
} else {
|
} else {
|
||||||
data = utf8Decode(await getBlobOrContent(id));
|
let headers = {
|
||||||
let appObject = JSON.parse(data);
|
|
||||||
data = appObject.files[uri.substring(1)];
|
|
||||||
data = await getBlobOrContent(data);
|
|
||||||
type = guessTypeUntrusted(uri, data);
|
|
||||||
headers = {
|
|
||||||
'ETag': '"' + id + '"',
|
'ETag': '"' + id + '"',
|
||||||
'Access-Control-Allow-Origin': '*',
|
'Access-Control-Allow-Origin': '*',
|
||||||
|
'Content-Security-Policy': 'sandbox',
|
||||||
};
|
};
|
||||||
|
data = await getBlobOrContent(id);
|
||||||
|
let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);
|
||||||
sendData(response, data, type, headers);
|
sendData(response, data, type, headers);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
sendData(response, data, type, headers);
|
sendData(response, data, type, {});
|
||||||
}
|
|
||||||
} else {
|
|
||||||
data = utf8Decode(await getBlobOrContent(blobId));
|
|
||||||
let appObject = JSON.parse(data);
|
|
||||||
data = appObject.files[uri.substring(1)];
|
|
||||||
data = await getBlobOrContent(data);
|
|
||||||
headers = {
|
|
||||||
'Access-Control-Allow-Origin': '*',
|
|
||||||
};
|
|
||||||
type = guessTypeUntrusted(uri, data);
|
|
||||||
sendData(response, data, type, headers);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user