Commit da4ed4e9 authored by iv's avatar iv

OfficeJS: Add CSP configuration.

parent 64828784
...@@ -351,6 +351,16 @@ ...@@ -351,6 +351,16 @@
<value> <string>string</string> </value> <value> <string>string</string> </value>
</item> </item>
</dictionary> </dictionary>
<dictionary>
<item>
<key> <string>id</string> </key>
<value> <string>configuration_content_security_policy</string> </value>
</item>
<item>
<key> <string>type</string> </key>
<value> <string>string</string> </value>
</item>
</dictionary>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -392,6 +402,10 @@ ...@@ -392,6 +402,10 @@
<key> <string>configuration_application_title</string> </key> <key> <string>configuration_application_title</string> </key>
<value> <string>Text Editor</string> </value> <value> <string>Text Editor</string> </value>
</item> </item>
<item>
<key> <string>configuration_content_security_policy</string> </key>
<value> <string>default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' * mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:</string> </value>
</item>
<item> <item>
<key> <string>configuration_default_view_action_reference</string> </key> <key> <string>configuration_default_view_action_reference</string> </key>
<value> <value>
...@@ -721,7 +735,7 @@ ...@@ -721,7 +735,7 @@
</item> </item>
<item> <item>
<key> <string>serial</string> </key> <key> <string>serial</string> </key>
<value> <string>946.4378.53544.28347</string> </value> <value> <string>947.57052.16419.11059</string> </value>
</item> </item>
<item> <item>
<key> <string>state</string> </key> <key> <string>state</string> </key>
...@@ -739,7 +753,7 @@ ...@@ -739,7 +753,7 @@
</tuple> </tuple>
<state> <state>
<tuple> <tuple>
<float>1446730078.39</float> <float>1450452633.63</float>
<string>UTC</string> <string>UTC</string>
</tuple> </tuple>
</state> </state>
......
...@@ -178,6 +178,16 @@ ...@@ -178,6 +178,16 @@
<value> <string>string</string> </value> <value> <string>string</string> </value>
</item> </item>
</dictionary> </dictionary>
<dictionary>
<item>
<key> <string>id</string> </key>
<value> <string>configuration_content_security_policy</string> </value>
</item>
<item>
<key> <string>type</string> </key>
<value> <string>string</string> </value>
</item>
</dictionary>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -193,6 +203,12 @@ ...@@ -193,6 +203,12 @@
<none/> <none/>
</value> </value>
</item> </item>
<item>
<key> <string>configuration_content_security_policy</string> </key>
<value>
<none/>
</value>
</item>
<item> <item>
<key> <string>configuration_frontpage_gadget_url</string> </key> <key> <string>configuration_frontpage_gadget_url</string> </key>
<value> <value>
...@@ -414,7 +430,7 @@ ...@@ -414,7 +430,7 @@
</item> </item>
<item> <item>
<key> <string>actor</string> </key> <key> <string>actor</string> </key>
<value> <string>cedric.le.ninivin</string> </value> <value> <string>zope</string> </value>
</item> </item>
<item> <item>
<key> <string>comment</string> </key> <key> <string>comment</string> </key>
...@@ -428,7 +444,7 @@ ...@@ -428,7 +444,7 @@
</item> </item>
<item> <item>
<key> <string>serial</string> </key> <key> <string>serial</string> </key>
<value> <string>945.58601.10119.52531</string> </value> <value> <string>947.56939.21991.31146</string> </value>
</item> </item>
<item> <item>
<key> <string>state</string> </key> <key> <string>state</string> </key>
...@@ -446,7 +462,7 @@ ...@@ -446,7 +462,7 @@
</tuple> </tuple>
<state> <state>
<tuple> <tuple>
<float>1443112993.68</float> <float>1450449679.31</float>
<string>UTC</string> <string>UTC</string>
</tuple> </tuple>
</state> </state>
......
...@@ -75,14 +75,18 @@ elif (portal_type == "Web Manifest"):\n ...@@ -75,14 +75,18 @@ elif (portal_type == "Web Manifest"):\n
response.setHeader(\'Content-Type\', \'text/cache-manifest\')\n response.setHeader(\'Content-Type\', \'text/cache-manifest\')\n
\n \n
else:\n else:\n
csp = "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:"\n
if (mapping_dict is not None):\n if (mapping_dict is not None):\n
web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n
# get CSP headers from the mapping dict if defined\n
csp = mapping_dict.get("content_security_policy", csp)\n
\n
# Do not allow to put inside an iframe\n # Do not allow to put inside an iframe\n
response.setHeader("X-Frame-Options", "SAMEORIGIN")\n response.setHeader("X-Frame-Options", "SAMEORIGIN")\n
response.setHeader("X-Content-Type-Options", "nosniff")\n response.setHeader("X-Content-Type-Options", "nosniff")\n
\n \n
# Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n # Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n
response.setHeader("Content-Security-Policy", "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:")\n response.setHeader("Content-Security-Policy", csp)\n
\n \n
response.setHeader(\'Content-Type\', \'text/html\')\n response.setHeader(\'Content-Type\', \'text/html\')\n
\n \n
......
...@@ -70,6 +70,7 @@ return default_web_page.WebPage_viewAsWeb(mapping_dict={\n ...@@ -70,6 +70,7 @@ return default_web_page.WebPage_viewAsWeb(mapping_dict={\n
"header_gadget": web_section.getLayoutProperty("configuration_header_gadget_url", default="gadget_erp5_header.html"),\n "header_gadget": web_section.getLayoutProperty("configuration_header_gadget_url", default="gadget_erp5_header.html"),\n
"jio_gadget": web_section.getLayoutProperty("configuration_jio_gadget_url", default="gadget_jio.html"),\n "jio_gadget": web_section.getLayoutProperty("configuration_jio_gadget_url", default="gadget_jio.html"),\n
"translation_gadget": web_section.getLayoutProperty("configuration_translation_gadget_url", default="gadget_translation.html"),\n "translation_gadget": web_section.getLayoutProperty("configuration_translation_gadget_url", default="gadget_translation.html"),\n
"content_security_policy": web_section.getLayoutProperty("configuration_content_security_policy"),\n
"manifest_url": web_section.getLayoutProperty("configuration_manifest_url", default="gadget_erp5.appcache")\n "manifest_url": web_section.getLayoutProperty("configuration_manifest_url", default="gadget_erp5.appcache")\n
})\n })\n
</string> </value> </string> </value>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment