Commit 050c8d29 authored by Cédric Le Ninivin's avatar Cédric Le Ninivin

erp5_web_renderjs_ui: X-FRAME-Options header is configurable.

parent 549a8851
...@@ -84,6 +84,7 @@ ...@@ -84,6 +84,7 @@
<string>my_configuration_router_gadget_url</string> <string>my_configuration_router_gadget_url</string>
<string>my_configuration_header_gadget_url</string> <string>my_configuration_header_gadget_url</string>
<string>my_configuration_content_security_policy</string> <string>my_configuration_content_security_policy</string>
<string>my_configuration_x_frame_options</string>
</list> </list>
</value> </value>
</item> </item>
......
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="ProxyField" module="Products.ERP5Form.ProxyField"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>delegated_list</string> </key>
<value>
<list>
<string>default</string>
<string>description</string>
<string>title</string>
</list>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>my_configuration_x_frame_options</string> </value>
</item>
<item>
<key> <string>message_values</string> </key>
<value>
<dictionary>
<item>
<key> <string>external_validator_failed</string> </key>
<value> <string>The input failed the external validator.</string> </value>
</item>
</dictionary>
</value>
</item>
<item>
<key> <string>overrides</string> </key>
<value>
<dictionary>
<item>
<key> <string>field_id</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>form_id</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>target</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</value>
</item>
<item>
<key> <string>tales</string> </key>
<value>
<dictionary>
<item>
<key> <string>default</string> </key>
<value>
<persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
</value>
</item>
<item>
<key> <string>description</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>field_id</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>form_id</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>target</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</value>
</item>
<item>
<key> <string>values</string> </key>
<value>
<dictionary>
<item>
<key> <string>default</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>description</string> </key>
<value> <string>Set Value to "ALLOW-FROM-ALL" to disable this header</string> </value>
</item>
<item>
<key> <string>field_id</string> </key>
<value> <string>my_string_field</string> </value>
</item>
<item>
<key> <string>form_id</string> </key>
<value> <string>Base_viewFieldLibrary</string> </value>
</item>
<item>
<key> <string>target</string> </key>
<value> <string>Click to edit the target</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string>X-Frame-Options</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</pickle>
</record>
<record id="2" aka="AAAAAAAAAAI=">
<pickle>
<global name="TALESMethod" module="Products.Formulator.TALESField"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_text</string> </key>
<value> <string>python: here.getLayoutProperty("configuration_x_frame_options", default="SAMEORIGIN")</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
...@@ -28,11 +28,14 @@ else: ...@@ -28,11 +28,14 @@ else:
web_content = web_page.TextDocument_substituteTextContent(web_content, mapping_dict=mapping_dict) web_content = web_page.TextDocument_substituteTextContent(web_content, mapping_dict=mapping_dict)
content_security_policy = "default-src 'self' data: blob:" content_security_policy = "default-src 'self' data: blob:"
x_frame_options = "SAMEORIGIN"
if (web_section): if (web_section):
content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy) content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy)
x_frame_options = web_section.getLayoutProperty("configuration_x_frame_options", default=x_frame_options)
# Do not allow to put inside an iframe # Do not allow to put inside an iframe
response.setHeader("X-Frame-Options", "SAMEORIGIN") if not x_frame_options == "ALLOW-FROM-ALL":
response.setHeader("X-Frame-Options", x_frame_options)
response.setHeader("X-Content-Type-Options", "nosniff") response.setHeader("X-Content-Type-Options", "nosniff")
# Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget's code # Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget's code
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment