Emi Matchu
38bad12778
Before this change, the "Ornamental Lake with Goldies" item would fail to preview on the item page: the iframe for the animation layer would display an error page. The error was: ``` Invalid Content Security Policy script-src: "https://images.neopets.com/cp/items/data/000/000/497/497366_deca9f2827/497366_HTML5 Canvas.js". Directive values must not contain whitespace or semicolons. Please use multiple arguments or other directive methods instead. (ActionDispatch::ContentSecurityPolicy::InvalidDirectiveError) ``` This is because the URL that Neopets sends us for this JS file contains an unescaped space character. This isn't usually an issue for e.g. loading a URL in the browser, but it's *not* valid syntax for inclusion in a Content Security Policy. In this change, we update our CSP code to parse URLs into `Addressable::URI` objects, which enables us to call the `normalize!` method, which fixes oddities like that. The URL now correctly appears in the CSP as `https://images.neopets.com/cp/items/data/000/000/497/497366_deca9f2827/497366_HTML5%20Canvas.js`. |
||
|---|---|---|
| .. | ||
| assets | ||
| controllers | ||
| helpers | ||
| javascript | ||
| mailers/fundraising | ||
| models | ||
| services | ||
| views | ||