Commit 68baa37c authored by Romain Courteaud's avatar Romain Courteaud

erp5_web_renderjs_ui: add the Content-Security-Policy configuration in the HTML page too

This will allow to propagate the CSP configuration on officejs.com
parent d303ca49
Pipeline #21011 failed with stage
......@@ -2,6 +2,7 @@
<html ${manifest_attribute}>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="${content_security_policy}" />
<meta name="google" content="notranslate">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" href="${icon_url}">
......
......@@ -240,7 +240,7 @@
</item>
<item>
<key> <string>serial</string> </key>
<value> <string>988.54689.43253.59187</string> </value>
<value> <string>999.45838.25715.22579</string> </value>
</item>
<item>
<key> <string>state</string> </key>
......@@ -258,7 +258,7 @@
</tuple>
<state>
<tuple>
<float>1609513682.22</float>
<float>1650536641.08</float>
<string>UTC</string>
</tuple>
</state>
......
......@@ -46,15 +46,16 @@ elif (portal_type == "Web Manifest"):
response.setHeader('Content-Type', 'text/cache-manifest; charset=utf-8')
else:
if (mapping_dict is not None):
web_content = web_page.TextDocument_substituteTextContent(web_content, mapping_dict=mapping_dict)
content_security_policy = "default-src 'self' data: blob:"
x_frame_options = "SAMEORIGIN"
if (web_section):
content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy)
content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy).replace('"', "'")
x_frame_options = web_section.getLayoutProperty("configuration_x_frame_options", default=x_frame_options)
if (mapping_dict is not None):
mapping_dict['content_security_policy'] = content_security_policy
web_content = web_page.TextDocument_substituteTextContent(web_content, mapping_dict=mapping_dict)
# Do not allow to put inside an iframe
if not x_frame_options == "ALLOW-FROM-ALL":
response.setHeader("X-Frame-Options", x_frame_options)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment