Commit 68baa37c authored by Romain Courteaud's avatar Romain Courteaud

erp5_web_renderjs_ui: add the Content-Security-Policy configuration in the HTML page too

This will allow to propagate the CSP configuration on officejs.com
parent d303ca49
Pipeline #21011 failed with stage
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
<html ${manifest_attribute}> <html ${manifest_attribute}>
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="${content_security_policy}" />
<meta name="google" content="notranslate"> <meta name="google" content="notranslate">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" href="${icon_url}"> <link rel="shortcut icon" href="${icon_url}">
......
...@@ -240,7 +240,7 @@ ...@@ -240,7 +240,7 @@
</item> </item>
<item> <item>
<key> <string>serial</string> </key> <key> <string>serial</string> </key>
<value> <string>988.54689.43253.59187</string> </value> <value> <string>999.45838.25715.22579</string> </value>
</item> </item>
<item> <item>
<key> <string>state</string> </key> <key> <string>state</string> </key>
...@@ -258,7 +258,7 @@ ...@@ -258,7 +258,7 @@
</tuple> </tuple>
<state> <state>
<tuple> <tuple>
<float>1609513682.22</float> <float>1650536641.08</float>
<string>UTC</string> <string>UTC</string>
</tuple> </tuple>
</state> </state>
......
...@@ -46,15 +46,16 @@ elif (portal_type == "Web Manifest"): ...@@ -46,15 +46,16 @@ elif (portal_type == "Web Manifest"):
response.setHeader('Content-Type', 'text/cache-manifest; charset=utf-8') response.setHeader('Content-Type', 'text/cache-manifest; charset=utf-8')
else: else:
if (mapping_dict is not None):
web_content = web_page.TextDocument_substituteTextContent(web_content, mapping_dict=mapping_dict)
content_security_policy = "default-src 'self' data: blob:" content_security_policy = "default-src 'self' data: blob:"
x_frame_options = "SAMEORIGIN" x_frame_options = "SAMEORIGIN"
if (web_section): if (web_section):
content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy) content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy).replace('"', "'")
x_frame_options = web_section.getLayoutProperty("configuration_x_frame_options", default=x_frame_options) x_frame_options = web_section.getLayoutProperty("configuration_x_frame_options", default=x_frame_options)
if (mapping_dict is not None):
mapping_dict['content_security_policy'] = content_security_policy
web_content = web_page.TextDocument_substituteTextContent(web_content, mapping_dict=mapping_dict)
# Do not allow to put inside an iframe # Do not allow to put inside an iframe
if not x_frame_options == "ALLOW-FROM-ALL": if not x_frame_options == "ALLOW-FROM-ALL":
response.setHeader("X-Frame-Options", x_frame_options) response.setHeader("X-Frame-Options", x_frame_options)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment