2024-07-03 19:50:41 -07:00
|
|
|
class SwfAssetsController < ApplicationController
|
|
|
|
|
# We're very careful with what content is allowed to load. This is because
|
|
|
|
|
# asset movies run arbitrary JS, and, while we generally trust content from
|
|
|
|
|
# Neopets.com, let's not be *allowing* movie JS to do whatever it wants! This
|
|
|
|
|
# is a good default security stance, even if we don't foresee an attack.
|
|
|
|
|
content_security_policy do |policy|
|
|
|
|
|
policy.sandbox "allow-scripts"
|
|
|
|
|
policy.default_src "none"
|
|
|
|
|
|
|
|
|
|
policy.img_src -> {
|
|
|
|
|
src_list(
|
|
|
|
|
helpers.image_url("favicon.png"),
|
|
|
|
|
@swf_asset.image_url,
|
|
|
|
|
*@swf_asset.canvas_movie_sprite_urls,
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
Use {script,style}_src instead of _elem, for better compatibility
Oh, I didn't realize the `_elem` variant of these parts of the
`Content-Security-Policy` is newer, and so doesn't even work on my
current version of Safari on my Mac.
My rationale at the time was: `script_src_elem` is stricter against
things like imports, and I figured, ok let's do the strictest policy
that works. But since it's not fully compatible with browsers even
*I'm* using right now, and I'm not aware of an actual problem it would
prevent, let's back off that a bit! This should have the same effective
security properties for our case.
Note that the effect of this compatibility issue wasn't *weakening* the
policy; it was being *too* strict, by blocking the scripts and the
stylesheets. This is because `script_src_elem` was ignored, and
`script_src` was absent, so it fell back to `default_src none`.
2024-07-06 12:47:59 -07:00
|
|
|
policy.script_src -> {
|
2024-07-03 19:50:41 -07:00
|
|
|
src_list(
|
|
|
|
|
helpers.javascript_url("lib/easeljs.min"),
|
|
|
|
|
helpers.javascript_url("lib/tweenjs.min"),
|
|
|
|
|
helpers.javascript_url("swf_assets/show"),
|
|
|
|
|
@swf_asset.canvas_movie_library_url,
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
Use {script,style}_src instead of _elem, for better compatibility
Oh, I didn't realize the `_elem` variant of these parts of the
`Content-Security-Policy` is newer, and so doesn't even work on my
current version of Safari on my Mac.
My rationale at the time was: `script_src_elem` is stricter against
things like imports, and I figured, ok let's do the strictest policy
that works. But since it's not fully compatible with browsers even
*I'm* using right now, and I'm not aware of an actual problem it would
prevent, let's back off that a bit! This should have the same effective
security properties for our case.
Note that the effect of this compatibility issue wasn't *weakening* the
policy; it was being *too* strict, by blocking the scripts and the
stylesheets. This is because `script_src_elem` was ignored, and
`script_src` was absent, so it fell back to `default_src none`.
2024-07-06 12:47:59 -07:00
|
|
|
policy.style_src -> {
|
2024-07-03 19:50:41 -07:00
|
|
|
src_list(
|
|
|
|
|
helpers.stylesheet_url("swf_assets/show"),
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def show
|
|
|
|
|
@swf_asset = SwfAsset.find params[:id]
|
|
|
|
|
render layout: nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def src_list(*urls)
|
|
|
|
|
urls.filter(&:present?).map { |url| url.sub(/\?.*\z/, "") }.join(" ")
|
|
|
|
|
end
|
|
|
|
|
end
|
