From 7ec900b6b6502dcc0435614b05c7762d71b2a0d2 Mon Sep 17 00:00:00 2001 From: Matchu Date: Sat, 6 Jul 2024 12:47:59 -0700 Subject: [PATCH] Use {script,style}_src instead of _elem, for better compatibility Oh, I didn't realize the `_elem` variant of these parts of the `Content-Security-Policy` is newer, and so doesn't even work on my current version of Safari on my Mac. My rationale at the time was: `script_src_elem` is stricter against things like imports, and I figured, ok let's do the strictest policy that works. But since it's not fully compatible with browsers even *I'm* using right now, and I'm not aware of an actual problem it would prevent, let's back off that a bit! This should have the same effective security properties for our case. Note that the effect of this compatibility issue wasn't *weakening* the policy; it was being *too* strict, by blocking the scripts and the stylesheets. This is because `script_src_elem` was ignored, and `script_src` was absent, so it fell back to `default_src none`. --- app/controllers/swf_assets_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/swf_assets_controller.rb b/app/controllers/swf_assets_controller.rb index 220e60ff..bd55a06a 100644 --- a/app/controllers/swf_assets_controller.rb +++ b/app/controllers/swf_assets_controller.rb @@ -15,7 +15,7 @@ class SwfAssetsController < ApplicationController ) } - policy.script_src_elem -> { + policy.script_src -> { src_list( helpers.javascript_url("lib/easeljs.min"), helpers.javascript_url("lib/tweenjs.min"), @@ -24,7 +24,7 @@ class SwfAssetsController < ApplicationController ) } - policy.style_src_elem -> { + policy.style_src -> { src_list( helpers.stylesheet_url("swf_assets/show"), )