Set correct mime type in jailed. Set correct types on script imports in bonfire/show. Open helmet up to potentially unsafe levels by allowing "* unsafe-inline" in scriptSrc.

app.js

@@ -115,6 +115,7 @@ app.disable('x-powered-by');
 app.use(helmet.xssFilter());
 app.use(helmet.noSniff());
 app.use(helmet.xframe());
+/*
 app.use(function(req, res, next) {
     res.header('Access-Control-Allow-Origin', '*');
     res.header('Access-Control-Allow-Headers',
@@ -122,6 +123,7 @@ app.use(function(req, res, next) {
               );
     next();
 });
+*/
 
 var trusted = [
   "'self'",
@@ -167,7 +169,8 @@ app.use(helmet.contentSecurityPolicy({
     scriptSrc: [
         '*.optimizely.com',
         '*.aspnetcdn.com',
-        '*.d3js.org'
+        '*.d3js.org',
+        "* 'unsafe-inline'"
     ].concat(trusted),
     'connect-src': [
         'ws://*.rafflecopter.com',

public/js/lib/jailed/_frame.html

@@ -1 +1 @@
-<script src="_frame.js"></script>
+<script sandbox="allow-same-origin allow-scripts" src="_frame.js"></script>

public/js/lib/jailed/_frame.js

@@ -24,12 +24,19 @@ var blobCode = [
   ' });                                                    '
 ].join('\n');
 
-var blobUrl = window.URL.createObjectURL(
-    new Blob([blobCode])
-);
+var blobUrl;
+try {
+  blobUrl = new Blob([blobCode], {type: 'application/javascript'});
+} catch (e) {
+  window.BlobBuilder = window.BlobBuilder
+    || window.WebKitBlobBuilder
+    || window.MozBlobBuilder;
+  blobUrl = new BlobBuilder();
+  blobUrl.append(blobCode);
+  blobUrl = blobUrl.getBlob();
+}
 
-
-var worker = new Worker(blobUrl);
+var worker = new Worker(URL.createObjectURL(blobUrl));
 
 // telling worker to load _pluginWeb.js (see blob code above)
 worker.postMessage({

views/bonfire/show.jade

@@ -1,21 +1,21 @@
 extends ../layout-wide
 block content
 
-    script(src='/js/lib/codemirror/lib/codemirror.js')
-    script(src='/js/lib/codemirror/addon/edit/closebrackets.js')
-    script(src='/js/lib/codemirror/addon/edit/matchbrackets.js')
-    script(src='/js/lib/codemirror/addon/lint/lint.js')
-    script(src='/js/lib/codemirror/addon/lint/javascript-lint.js')
-    script(src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js')
-    script(src='/js/lib/chai/chai.js')
+    script(type='text/javascript', src='/js/lib/codemirror/lib/codemirror.js')
+    script(type='text/javascript', src='/js/lib/codemirror/addon/edit/closebrackets.js')
+    script(type='text/javascript', src='/js/lib/codemirror/addon/edit/matchbrackets.js')
+    script(type='text/javascript', src='/js/lib/codemirror/addon/lint/lint.js')
+    script(type='text/javascript', src='/js/lib/codemirror/addon/lint/javascript-lint.js')
+    script(type='text/javascript', src='//ajax.aspnetcdn.com/ajax/jshint/r07/jshint.js')
+    script(type='text/javascript', src='/js/lib/chai/chai.js')
     link(rel='stylesheet', href='/js/lib/codemirror/lib/codemirror.css')
     link(rel='stylesheet', href='/js/lib/codemirror/addon/lint/lint.css')
     link(rel='stylesheet', href='/js/lib/codemirror/theme/monokai.css')
     link(rel="stylesheet", href="http://fonts.googleapis.com/css?family=Ubuntu+Mono")
-    script(src='/js/lib/codemirror/mode/javascript/javascript.js')
-    script(src='/js/lib/jailed/jailed.js')
-    script(src='/js/lib/bonfire/bonfireInit.js')
-    script(src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js")
+    script(type='text/javascript', src='/js/lib/codemirror/mode/javascript/javascript.js')
+    script(type='text/javascript', src='/js/lib/jailed/jailed.js')
+    script(type='text/javascript', src='/js/lib/bonfire/bonfireInit.js')
+    script(type='text/javascript', src="//cdnjs.cloudflare.com/ajax/libs/ramda/0.13.0/ramda.min.js")
 
 
     .row