DEV: Remove blob: workers from CSP (#10440)

DEV: Remove blob: workers from CSP (#10440)

Ace editor is reconfigured to load workers directly from their JS URL. Workers must be on the same origin as the site, so they will not use the CDN.

diff --git a/app/assets/javascripts/admin/components/ace-editor.js b/app/assets/javascripts/admin/components/ace-editor.js
index 123193c..407b0fe 100644
--- a/app/assets/javascripts/admin/components/ace-editor.js
+++ b/app/assets/javascripts/admin/components/ace-editor.js
@@ -1,5 +1,6 @@
 import Component from "@ember/component";
 import loadScript from "discourse/lib/load-script";
+import getURL from "discourse-common/lib/get-url";
 import { observes } from "discourse-common/utils/decorators";
 import { on } from "@ember/object/evented";
 
@@ -74,6 +75,9 @@ export default Component.extend({
 
     loadScript("/javascripts/ace/ace.js").then(() => {
       window.ace.require(["ace/ace"], loadedAce => {
+        loadedAce.config.set("loadWorkerFromBlob", false);
+        loadedAce.config.set("workerPath", getURL("/javascripts/ace")); // Do not use CDN for workers
+
         if (!this.element || this.isDestroying || this.isDestroyed) {
           return;
         }
diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index 43f076e..52a116c 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -63,8 +63,7 @@ class ContentSecurityPolicy
 
     def worker_src
       [
-        "'self'",
-        "blob:",
+        "'self'", # For service worker
         *script_assets(worker: true)
       ]
     end
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index d7b60eb..04557e3 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -37,7 +37,6 @@ describe ContentSecurityPolicy do
       worker_srcs = parse(policy)['worker-src']
       expect(worker_srcs).to eq(%w[
         'self'
-        blob:
         http://test.localhost/assets/
         http://test.localhost/brotli_asset/
         http://test.localhost/javascripts/

GitHub sha: 8ac85f54

This commit appears in #10440 which was approved by eviltrout. It was merged by davidtaylorhq.