forked from OpenNeo/impress
Matchu
7ec900b6b6
Oh, I didn't realize the `_elem` variant of these parts of the `Content-Security-Policy` is newer, and so doesn't even work on my current version of Safari on my Mac. My rationale at the time was: `script_src_elem` is stricter against things like imports, and I figured, ok let's do the strictest policy that works. But since it's not fully compatible with browsers even *I'm* using right now, and I'm not aware of an actual problem it would prevent, let's back off that a bit! This should have the same effective security properties for our case. Note that the effect of this compatibility issue wasn't *weakening* the policy; it was being *too* strict, by blocking the scripts and the stylesheets. This is because `script_src_elem` was ignored, and `script_src` was absent, so it fell back to `default_src none`.
44 lines
1.1 KiB
Ruby
44 lines
1.1 KiB
Ruby
class SwfAssetsController < ApplicationController
|
|
# We're very careful with what content is allowed to load. This is because
|
|
# asset movies run arbitrary JS, and, while we generally trust content from
|
|
# Neopets.com, let's not be *allowing* movie JS to do whatever it wants! This
|
|
# is a good default security stance, even if we don't foresee an attack.
|
|
content_security_policy do |policy|
|
|
policy.sandbox "allow-scripts"
|
|
policy.default_src "none"
|
|
|
|
policy.img_src -> {
|
|
src_list(
|
|
helpers.image_url("favicon.png"),
|
|
@swf_asset.image_url,
|
|
*@swf_asset.canvas_movie_sprite_urls,
|
|
)
|
|
}
|
|
|
|
policy.script_src -> {
|
|
src_list(
|
|
helpers.javascript_url("lib/easeljs.min"),
|
|
helpers.javascript_url("lib/tweenjs.min"),
|
|
helpers.javascript_url("swf_assets/show"),
|
|
@swf_asset.canvas_movie_library_url,
|
|
)
|
|
}
|
|
|
|
policy.style_src -> {
|
|
src_list(
|
|
helpers.stylesheet_url("swf_assets/show"),
|
|
)
|
|
}
|
|
end
|
|
|
|
def show
|
|
@swf_asset = SwfAsset.find params[:id]
|
|
render layout: nil
|
|
end
|
|
|
|
private
|
|
|
|
def src_list(*urls)
|
|
urls.filter(&:present?).map { |url| url.sub(/\?.*\z/, "") }.join(" ")
|
|
end
|
|
end
|