FIX: Add script asset locations to worker-src CSP directives

FIX: Add script asset locations to worker-src CSP directives

We no longer need :blob worker src since d5463d2a. But we do want to allow workers to be loaded from all our existing script-src options.

diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index 78ca564..95d98fc 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -23,19 +23,20 @@ class ContentSecurityPolicy
     end
 
     SCRIPT_ASSET_DIRECTORIES = [
-      # [dir, can_use_s3_cdn, can_use_cdn]
-      ['/assets/',             true, true],
-      ['/brotli_asset/',       true, true],
-      ['/extra-locales/',      false, false],
-      ['/highlight-js/',       false, true],
-      ['/javascripts/',        false, true],
-      ['/plugins/',            false, true],
-      ['/theme-javascripts/',  false, true],
-      ['/svg-sprite/',         false, true],
+      # [dir, can_use_s3_cdn, can_use_cdn, for_worker]
+      ['/assets/',             true, true, true],
+      ['/brotli_asset/',       true, true, true],
+      ['/extra-locales/',      false, false, false],
+      ['/highlight-js/',       false, true, false],
+      ['/javascripts/',        false, true, true],
+      ['/plugins/',            false, true, true],
+      ['/theme-javascripts/',  false, true, false],
+      ['/svg-sprite/',         false, true, false],
     ]
 
-    def script_assets(base = base_url, s3_cdn = GlobalSetting.s3_cdn_url, cdn = GlobalSetting.cdn_url)
-      SCRIPT_ASSET_DIRECTORIES.map do |dir, can_use_s3_cdn, can_use_cdn|
+    def script_assets(base = base_url, s3_cdn = GlobalSetting.s3_cdn_url, cdn = GlobalSetting.cdn_url, worker: false)
+      SCRIPT_ASSET_DIRECTORIES.map do |dir, can_use_s3_cdn, can_use_cdn, for_worker|
+        next if worker && !for_worker
         if can_use_s3_cdn && s3_cdn
           s3_cdn + dir
         elsif can_use_cdn && cdn
@@ -43,7 +44,7 @@ class ContentSecurityPolicy
         else
           base + dir
         end
-      end
+      end.compact
     end
 
     def script_src
@@ -62,8 +63,7 @@ class ContentSecurityPolicy
 
     def worker_src
       [
-        :self,
-        :blob, # ACE editor registers a service worker with a blob for syntax checking
+        *script_assets(worker: true)
       ]
     end
 
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index bad12dd..764bc03 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -33,11 +33,13 @@ describe ContentSecurityPolicy do
   end
 
   describe 'worker-src' do
-    it 'always has self and blob' do
+    it 'always has script srcs' do
       worker_srcs = parse(policy)['worker-src']
       expect(worker_srcs).to eq(%w[
-        'self'
-        blob:
+        http://test.localhost/assets/
+        http://test.localhost/brotli_asset/
+        http://test.localhost/javascripts/
+        http://test.localhost/plugins/
       ])
     end
   end

GitHub sha: a5608025