FIX: Add script asset locations to worker-src CSP directives

We no longer need :blob worker src since d5463d2a. But we do want to allow workers to be loaded from all our existing script-src options.
2025-02-25 18:55:32 -06:00 · 2020-08-14 12:30:39 +01:00
parent d5463d2a4d
commit a5608025aa
2 changed files with 19 additions and 17 deletions
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -33,11 +33,13 @@ describe ContentSecurityPolicy do
  end

  describe 'worker-src' do
-    it 'always has self and blob' do
+    it 'always has script srcs' do
      worker_srcs = parse(policy)['worker-src']
      expect(worker_srcs).to eq(%w[
-        'self'
-        blob:
+        http://test.localhost/assets/
+        http://test.localhost/brotli_asset/
+        http://test.localhost/javascripts/
+        http://test.localhost/plugins/
      ])
    end
  end