From a4fa6a3ac7659724f3c79ed93d5e2b925e27db18 Mon Sep 17 00:00:00 2001
From: Jaco Greeff <jacogr@gmail.com>
Date: Fri, 14 Jul 2017 18:50:19 +0200
Subject: [PATCH] Add CSP for worker-src (#6059)

* Specify worker-src seperately, add blob:

* Upgrade react-qr-scan to latest version
---
 dapps/src/handlers/mod.rs | 4 +++-
 js/package.json           | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dapps/src/handlers/mod.rs b/dapps/src/handlers/mod.rs
index bb640ed17..7937ce667 100644
--- a/dapps/src/handlers/mod.rs
+++ b/dapps/src/handlers/mod.rs
@@ -68,6 +68,9 @@ pub fn add_security_headers(headers: &mut header::Headers, embeddable_on: Embedd
 		b"font-src 'self' data: https:;".to_vec(),
 		// Allow inline scripts and scripts eval (webpack/jsconsole)
 		b"script-src 'self' 'unsafe-inline' 'unsafe-eval';".to_vec(),
+		// Same restrictions as script-src (fallback) with additional
+		// blob: that is required for camera access (worker)
+		b"worker-src 'self' 'unsafe-inline' 'unsafe-eval' blob: ;".to_vec(),
 		// Restrict everything else to the same origin.
 		b"default-src 'self';".to_vec(),
 		// Run in sandbox mode (although it's not fully safe since we allow same-origin and script)
@@ -140,4 +143,3 @@ pub fn convert_uri_to_url(uri: &uri::RequestUri, host: Option<&header::Host>) ->
 		_ => None,
 	}
 }
-
diff --git a/js/package.json b/js/package.json
index fb69b12d2..2298c5265 100644
--- a/js/package.json
+++ b/js/package.json
@@ -209,7 +209,7 @@
     "react-intl": "2.1.5",
     "react-markdown": "2.4.4",
     "react-portal": "3.0.0",
-    "react-qr-reader": "1.0.3",
+    "react-qr-reader": "1.1.3",
     "react-redux": "4.4.6",
     "react-router": "3.0.0",
     "react-router-redux": "4.0.7",