Commit d9af84e9 authored by Romain Courteaud's avatar Romain Courteaud Committed by Kazuhiko Shiozaki

erp5_web_js_style: configure the accepted iframe list on the web site

parent 40eab21b
...@@ -76,7 +76,9 @@ ...@@ -76,7 +76,9 @@
<item> <item>
<key> <string>center</string> </key> <key> <string>center</string> </key>
<value> <value>
<list/> <list>
<string>my_configuration_iframe_url_text</string>
</list>
</value> </value>
</item> </item>
<item> <item>
......
content_security_policy = "default-src 'self'; img-src 'self' data:" content_security_policy = "default-src 'self'; img-src 'self' data:"
if no_style_gadget_url: if no_style_gadget_url:
content_security_policy += "; frame-src 'self' https://www.youtube-nocookie.com/embed/" web_section = context
iframe_url_list = [x.strip() for x in web_section.getLayoutProperty('configuration_iframe_url_text', default='').split('\n') if x.strip()]
if iframe_url_list:
content_security_policy = "%s; frame-src 'self' %s" % (content_security_policy, ' '.join(iframe_url_list))
else: else:
# If not rendering gadget, fully disable javascript # If not rendering gadget, fully disable javascript
# as nothing is expected # as nothing is expected
......
...@@ -59,7 +59,7 @@ ...@@ -59,7 +59,7 @@
</tr> </tr>
<tr> <tr>
<td colspan="3"><b>Javascript allowed if no style defined and youtube iframe</b></td> <td colspan="3"><b>Javascript allowed if style defined and youtube iframe</b></td>
</tr> </tr>
<tr> <tr>
<td>open</td> <td>open</td>
...@@ -79,7 +79,7 @@ ...@@ -79,7 +79,7 @@
</tr> </tr>
<tr> <tr>
<td>assertElementPresent</td> <td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td> <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]</td>
<td></td> <td></td>
</tr> </tr>
...@@ -101,7 +101,7 @@ ...@@ -101,7 +101,7 @@
</tr> </tr>
<tr> <tr>
<td>assertElementPresent</td> <td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td> <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]</td>
<td></td> <td></td>
</tr> </tr>
...@@ -119,6 +119,31 @@ ...@@ -119,6 +119,31 @@
<td></td> <td></td>
</tr> </tr>
<tr>
<td colspan="3"><b>Javascript allowed if style defined and accepted iframe list</b></td>
</tr>
<tr>
<td>open</td>
<td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=iframe</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Web Site created.</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://example.org/foo https://example.org/bar"]</td>
<td></td>
</tr>
</tbody></table> </tbody></table>
</body> </body>
</html> </html>
\ No newline at end of file
...@@ -194,6 +194,11 @@ configuration_dict = { ...@@ -194,6 +194,11 @@ configuration_dict = {
'title': "Demo Style", 'title': "Demo Style",
'site_map_section_parent': True 'site_map_section_parent': True
}, },
'iframe': {
'configuration_style_gadget_url': "jsstyle_demo.html",
'configuration_iframe_url_text': "https://example.org/foo\nhttps://example.org/bar\n \n",
'title': "Demo Style with iframe"
},
'not_loading': { 'not_loading': {
'configuration_style_gadget_url': "jsstyle_demo_not_loading.html", 'configuration_style_gadget_url': "jsstyle_demo_not_loading.html",
'title': "Not Loading Style", 'title': "Not Loading Style",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment