Commit 5313a815 authored by iv's avatar iv

Clean CSP configuration acquisition.

parent 383b0f32
...@@ -56,6 +56,7 @@ if response is None:\n ...@@ -56,6 +56,7 @@ if response is None:\n
response = REQUEST.RESPONSE\n response = REQUEST.RESPONSE\n
\n \n
web_page = context\n web_page = context\n
web_section = REQUEST.get("current_web_section")\n
\n \n
if REQUEST.getHeader(\'If-Modified-Since\', \'\') == web_page.getModificationDate().rfc822():\n if REQUEST.getHeader(\'If-Modified-Since\', \'\') == web_page.getModificationDate().rfc822():\n
response.setStatus(304)\n response.setStatus(304)\n
...@@ -63,6 +64,7 @@ if REQUEST.getHeader(\'If-Modified-Since\', \'\') == web_page.getModificationDat ...@@ -63,6 +64,7 @@ if REQUEST.getHeader(\'If-Modified-Since\', \'\') == web_page.getModificationDat
\n \n
portal_type = web_page.getPortalType()\n portal_type = web_page.getPortalType()\n
web_content = web_page.getTextContent()\n web_content = web_page.getTextContent()\n
web_site = web_page.getWebSiteValue()\n
\n \n
# set headers depending on type of script\n # set headers depending on type of script\n
if (portal_type == "Web Script"):\n if (portal_type == "Web Script"):\n
...@@ -75,18 +77,19 @@ elif (portal_type == "Web Manifest"):\n ...@@ -75,18 +77,19 @@ elif (portal_type == "Web Manifest"):\n
response.setHeader(\'Content-Type\', \'text/cache-manifest\')\n response.setHeader(\'Content-Type\', \'text/cache-manifest\')\n
\n \n
else:\n else:\n
csp = "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:"\n
if (mapping_dict is not None):\n if (mapping_dict is not None):\n
web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n
# get CSP headers from the mapping dict if defined\n \n
csp = mapping_dict.get("content_security_policy", csp)\n content_security_policy = "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' data:; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\' data:; frame-src \'self\' data:"\n
if (web_section):\n
content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy)\n
\n \n
# Do not allow to put inside an iframe\n # Do not allow to put inside an iframe\n
response.setHeader("X-Frame-Options", "SAMEORIGIN")\n response.setHeader("X-Frame-Options", "SAMEORIGIN")\n
response.setHeader("X-Content-Type-Options", "nosniff")\n response.setHeader("X-Content-Type-Options", "nosniff")\n
\n \n
# Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n # Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n
response.setHeader("Content-Security-Policy", csp)\n response.setHeader("Content-Security-Policy", content_security_policy)\n
\n \n
response.setHeader(\'Content-Type\', \'text/html\')\n response.setHeader(\'Content-Type\', \'text/html\')\n
\n \n
......
...@@ -70,7 +70,6 @@ return default_web_page.WebPage_viewAsWeb(mapping_dict={\n ...@@ -70,7 +70,6 @@ return default_web_page.WebPage_viewAsWeb(mapping_dict={\n
"header_gadget": web_section.getLayoutProperty("configuration_header_gadget_url", default="gadget_erp5_header.html"),\n "header_gadget": web_section.getLayoutProperty("configuration_header_gadget_url", default="gadget_erp5_header.html"),\n
"jio_gadget": web_section.getLayoutProperty("configuration_jio_gadget_url", default="gadget_jio.html"),\n "jio_gadget": web_section.getLayoutProperty("configuration_jio_gadget_url", default="gadget_jio.html"),\n
"translation_gadget": web_section.getLayoutProperty("configuration_translation_gadget_url", default="gadget_translation.html"),\n "translation_gadget": web_section.getLayoutProperty("configuration_translation_gadget_url", default="gadget_translation.html"),\n
"content_security_policy": web_section.getLayoutProperty("configuration_content_security_policy"),\n
"manifest_url": web_section.getLayoutProperty("configuration_manifest_url", default="gadget_erp5.appcache")\n "manifest_url": web_section.getLayoutProperty("configuration_manifest_url", default="gadget_erp5.appcache")\n
})\n })\n
</string> </value> </string> </value>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment