Commit d9af84e9 authored by Romain Courteaud's avatar Romain Courteaud Committed by Kazuhiko Shiozaki

erp5_web_js_style: configure the accepted iframe list on the web site

parent 40eab21b
......@@ -76,7 +76,9 @@
<item>
<key> <string>center</string> </key>
<value>
<list/>
<list>
<string>my_configuration_iframe_url_text</string>
</list>
</value>
</item>
<item>
......
content_security_policy = "default-src 'self'; img-src 'self' data:"
if no_style_gadget_url:
content_security_policy += "; frame-src 'self' https://www.youtube-nocookie.com/embed/"
web_section = context
iframe_url_list = [x.strip() for x in web_section.getLayoutProperty('configuration_iframe_url_text', default='').split('\n') if x.strip()]
if iframe_url_list:
content_security_policy = "%s; frame-src 'self' %s" % (content_security_policy, ' '.join(iframe_url_list))
else:
# If not rendering gadget, fully disable javascript
# as nothing is expected
......
......@@ -59,7 +59,7 @@
</tr>
<tr>
<td colspan="3"><b>Javascript allowed if no style defined and youtube iframe</b></td>
<td colspan="3"><b>Javascript allowed if style defined and youtube iframe</b></td>
</tr>
<tr>
<td>open</td>
......@@ -79,7 +79,7 @@
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]</td>
<td></td>
</tr>
......@@ -101,7 +101,7 @@
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]</td>
<td></td>
</tr>
......@@ -119,6 +119,31 @@
<td></td>
</tr>
<tr>
<td colspan="3"><b>Javascript allowed if style defined and accepted iframe list</b></td>
</tr>
<tr>
<td>open</td>
<td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=iframe</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Web Site created.</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://example.org/foo https://example.org/bar"]</td>
<td></td>
</tr>
</tbody></table>
</body>
</html>
\ No newline at end of file
......@@ -194,6 +194,11 @@ configuration_dict = {
'title': "Demo Style",
'site_map_section_parent': True
},
'iframe': {
'configuration_style_gadget_url': "jsstyle_demo.html",
'configuration_iframe_url_text': "https://example.org/foo\nhttps://example.org/bar\n \n",
'title': "Demo Style with iframe"
},
'not_loading': {
'configuration_style_gadget_url': "jsstyle_demo_not_loading.html",
'title': "Not Loading Style",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment