FEATURE: allow for local theme js assets (#16374)

Due to default CSP web workers instantiated from CDN based assets are still treated as "same-origin" meaning that we had no way of safely instansiating a web worker from a theme. This limits the theme system and adds the arbitrary restriction that WASM based components can not be safely used. To resolve this limitation all js assets in about.json are also cached on local domain. { "name": "Header Icons", "assets" : { "worker" : "assets/worker.js" } } This can then be referenced in JS via: settings.theme_uploads_local.worker local_js_assets are unconditionally served from the site directly and bypass the entire CDN, using the pre-existing JavascriptCache Previous to this change this code was completely dormant on sites which used s3 based uploads, this reuses the very well tested and cached asset system on s3 based sites. Note, when creating local_js_assets it is highly recommended to keep the assets lean and keep all the heavy working in CDN based assets. For example wasm files can still live on the CDN but the lean worker that loads it can live on local. This change unlocks wasm in theme components, so wasm is now also allowed in `theme_authorized_extensions` * more usages of upload.content * add a specific test for upload.content * Adjust logic to ensure that after upgrades we still get a cached local js on save
2025-02-25 18:55:32 -06:00 · 2022-04-07 07:58:10 +10:00
parent ef2e4f7ee0
commit cedcdb0057
11 changed files with 159 additions and 28 deletions
--- a/app/models/javascript_cache.rb
+++ b/app/models/javascript_cache.rb
@@ -8,11 +8,19 @@ class JavascriptCache < ActiveRecord::Base
  before_save :update_digest

  def url
-    "#{GlobalSetting.cdn_url}#{Discourse.base_path}/theme-javascripts/#{digest}.js?__ws=#{Discourse.current_hostname}"
+    "#{GlobalSetting.cdn_url}#{Discourse.base_path}#{path}"
+  end
+
+  def local_url
+    "#{Discourse.base_url}#{path}"
  end

  private

+  def path
+    "/theme-javascripts/#{digest}.js?__ws=#{Discourse.current_hostname}"
+  end
+
  def update_digest
    self.digest = Digest::SHA1.hexdigest(content) if content_changed?
  end
--- a/app/models/theme.rb
+++ b/app/models/theme.rb
@@ -539,12 +539,19 @@ class Theme < ActiveRecord::Base
    end

    theme_uploads = {}
+    theme_uploads_local = {}
+
    upload_fields.each do |field|
      if field.upload&.url
        theme_uploads[field.name] = Discourse.store.cdn_url(field.upload.url)
      end
+      if field.javascript_cache
+        theme_uploads_local[field.name] = field.javascript_cache.local_url
+      end
    end
+
    hash['theme_uploads'] = theme_uploads if theme_uploads.present?
+    hash['theme_uploads_local'] = theme_uploads_local if theme_uploads_local.present?

    hash
  end
@@ -652,7 +659,7 @@ class Theme < ActiveRecord::Base
    end

    settings_hash&.each do |name, value|
-      next if name == "theme_uploads"
+      next if name == "theme_uploads" || name == "theme_uploads_local"
      contents << to_scss_variable(name, value)
    end

--- a/app/models/theme_field.rb
+++ b/app/models/theme_field.rb
@@ -184,7 +184,7 @@ class ThemeField < ActiveRecord::Base

    begin
      content = File.read(path)
-      svg_file = Nokogiri::XML(content) do |config|
+      Nokogiri::XML(content) do |config|
        config.options = Nokogiri::XML::ParseOptions::NOBLANKS
      end
    rescue => e
@@ -568,6 +568,12 @@ class ThemeField < ActiveRecord::Base
    if (will_save_change_to_value? || will_save_change_to_upload_id?) && !will_save_change_to_value_baked?
      self.value_baked = nil
    end
+    if upload && upload.extension == "js"
+      if will_save_change_to_upload_id? || !javascript_cache
+        javascript_cache ||= build_javascript_cache
+        javascript_cache.content = upload.content
+      end
+    end
  end

  after_save do
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -171,6 +171,22 @@ class Upload < ActiveRecord::Base
    end
  end

+  def content
+    original_path = Discourse.store.path_for(self)
+    external_copy = nil
+
+    if original_path.blank?
+      external_copy = Discourse.store.download(self)
+      original_path = external_copy.path
+    end
+
+    File.read(original_path)
+  ensure
+    if external_copy
+      File.unlink(external_copy.path)
+    end
+  end
+
  def fix_image_extension
    return false if extension == "unknown"