OfficeJS: Add CSP configuration.

da4ed4e9 · iv · 64828784 · da4ed4e9 · da4ed4e9 · da4ed4e9
Commit da4ed4e9 authored Dec 29, 2015 by iv
4 changed files
--- a/bt5/erp5_officejs/PathTemplateItem/web_site_module/officejs_text_editor.xml
+++ b/bt5/erp5_officejs/PathTemplateItem/web_site_module/officejs_text_editor.xml
@@ -351,6 +351,16 @@
                      <value> <string>string</string> </value>
                  </item>
                </dictionary>
+                <dictionary>
+                  <item>
+                      <key> <string>id</string> </key>
+                      <value> <string>configuration_content_security_policy</string> </value>
+                  </item>
+                  <item>
+                      <key> <string>type</string> </key>
+                      <value> <string>string</string> </value>
+                  </item>
+                </dictionary>
              </tuple>
            </value>
        </item>
@@ -392,6 +402,10 @@
            <key> <string>configuration_application_title</string> </key>
            <value> <string>Text Editor</string> </value>
        </item>
+        <item>
+            <key> <string>configuration_content_security_policy</string> </key>
+            <value> <string>default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' * mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:</string> </value>
+        </item>
        <item>
            <key> <string>configuration_default_view_action_reference</string> </key>
            <value>
@@ -721,7 +735,7 @@
            </item>
            <item>
                <key> <string>serial</string> </key>
-                <value> <string>946.4378.53544.28347</string> </value>
+                <value> <string>947.57052.16419.11059</string> </value>
            </item>
            <item>
                <key> <string>state</string> </key>
@@ -739,7 +753,7 @@
                    </tuple>
                    <state>
                      <tuple>
-                        <float>1446730078.39</float>
+                        <float>1450452633.63</float>
                        <string>UTC</string>
                      </tuple>
                    </state>

--- a/bt5/erp5_officejs/PathTemplateItem/web_site_module/officejs_text_editor/hateoas.xml
+++ b/bt5/erp5_officejs/PathTemplateItem/web_site_module/officejs_text_editor/hateoas.xml
@@ -178,6 +178,16 @@
                      <value> <string>string</string> </value>
                  </item>
                </dictionary>
+                <dictionary>
+                  <item>
+                      <key> <string>id</string> </key>
+                      <value> <string>configuration_content_security_policy</string> </value>
+                  </item>
+                  <item>
+                      <key> <string>type</string> </key>
+                      <value> <string>string</string> </value>
+                  </item>
+                </dictionary>
              </tuple>
            </value>
        </item>
@@ -193,6 +203,12 @@
              <none/>
            </value>
        </item>
+        <item>
+            <key> <string>configuration_content_security_policy</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
        <item>
            <key> <string>configuration_frontpage_gadget_url</string> </key>
            <value>
@@ -414,7 +430,7 @@
            </item>
            <item>
                <key> <string>actor</string> </key>
-                <value> <string>cedric.le.ninivin</string> </value>
+                <value> <string>zope</string> </value>
            </item>
            <item>
                <key> <string>comment</string> </key>
@@ -428,7 +444,7 @@
            </item>
            <item>
                <key> <string>serial</string> </key>
-                <value> <string>945.58601.10119.52531</string> </value>
+                <value> <string>947.56939.21991.31146</string> </value>
            </item>
            <item>
                <key> <string>state</string> </key>
@@ -446,7 +462,7 @@
                    </tuple>
                    <state>
                      <tuple>
-                        <float>1443112993.68</float>
+                        <float>1450449679.31</float>
                        <string>UTC</string>
                      </tuple>
                    </state>

--- a/bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebPage_viewAsWeb.xml
+++ b/bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebPage_viewAsWeb.xml
@@ -75,14 +75,18 @@ elif (portal_type == "Web Manifest"):\n
  response.setHeader(\'Content-Type\', \'text/cache-manifest\')\n
 \n
 else:\n
+  csp = "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:"\n
  if (mapping_dict is not None):\n
    web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n
+    # get CSP headers from the mapping dict if defined\n
+    csp = mapping_dict.get("content_security_policy", csp)\n
+\n
  # Do not allow to put inside an iframe\n
  response.setHeader("X-Frame-Options", "SAMEORIGIN")\n
  response.setHeader("X-Content-Type-Options", "nosniff")\n
 \n
  # Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n
-  response.setHeader("Content-Security-Policy", "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:")\n
+  response.setHeader("Content-Security-Policy", csp)\n
 \n
  response.setHeader(\'Content-Type\', \'text/html\')\n
 \n

--- a/bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebSection_renderDefaultPageAsGadget.xml
+++ b/bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebSection_renderDefaultPageAsGadget.xml
@@ -70,6 +70,7 @@ return default_web_page.WebPage_viewAsWeb(mapping_dict={\n
  "header_gadget": web_section.getLayoutProperty("configuration_header_gadget_url", default="gadget_erp5_header.html"),\n
  "jio_gadget": web_section.getLayoutProperty("configuration_jio_gadget_url", default="gadget_jio.html"),\n
  "translation_gadget": web_section.getLayoutProperty("configuration_translation_gadget_url", default="gadget_translation.html"),\n
+  "content_security_policy": web_section.getLayoutProperty("configuration_content_security_policy"),\n
  "manifest_url": web_section.getLayoutProperty("configuration_manifest_url", default="gadget_erp5.appcache")\n
 })\n
 </string> </value>