erp5_web_js_style: factorise content security policy value

cd343f79 · Romain Courteaud · 388a882e · cd343f79 · cd343f79 · cd343f79
Commit cd343f79 authored Feb 16, 2023 by Romain Courteaud
7 changed files
--- a/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateContentSecurityPolicy.py
+++ b/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateContentSecurityPolicy.py
+content_security_policy = "default-src 'self'"
+
+if no_style_gadget_url:
+  content_security_policy += "; frame-src 'self' https://www.youtube-nocookie.com/embed/"
+else:
+  # If not rendering gadget, fully disable javascript
+  # as nothing is expected
+  content_security_policy += "; script-src 'none'"
+
+return content_security_policy
--- a/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateContentSecurityPolicy.xml
+++ b/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateContentSecurityPolicy.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>no_style_gadget_url</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>WebSection_generateContentSecurityPolicy</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/dialog_main.zpt
+++ b/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/dialog_main.zpt
@@ -22,12 +22,13 @@
      keyword_list python: web_section.getSubjectList();
      og_locale_dict python: web_site.WebSite_getOgLocaleDict();
      current_language python: web_site.getPortalObject().Localizer.get_selected_language();
-      global_definitions_macros here/global_definitions/macros;">
+      global_definitions_macros here/global_definitions/macros;
+      content_security_policy python: web_section.WebSection_generateContentSecurityPolicy(no_style_gadget_url);">
      <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
 <!DOCTYPE html>
 <html tal:attributes="lang current_language">
  <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://www.youtube-nocookie.com/embed/" />
+  <meta http-equiv="Content-Security-Policy" tal:attributes="content content_security_policy"/>
  <meta name="referrer" content="same-origin">
  <meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" />
  <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />

--- a/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/error_main.zpt
+++ b/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/error_main.zpt
@@ -14,12 +14,13 @@
      favicon_url python: web_section.WebSection_generateLayoutPropertyUrl('configuration_favicon_url');
      og_locale_dict python: web_site.WebSite_getOgLocaleDict();
      current_language python: web_site.getPortalObject().Localizer.get_selected_language();
-      global_definitions_macros here/global_definitions/macros;">
+      global_definitions_macros here/global_definitions/macros;
+      content_security_policy python: web_section.WebSection_generateContentSecurityPolicy('');">
      <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
 <!DOCTYPE html>
 <html tal:attributes="lang current_language">
  <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'none'" />
+  <meta http-equiv="Content-Security-Policy" tal:attributes="content content_security_policy"/>
  <meta name="referrer" content="same-origin">
  <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
  <meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" />

--- a/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/view_main.zpt
+++ b/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/view_main.zpt
@@ -24,7 +24,8 @@
      og_locale_dict python: web_site.WebSite_getOgLocaleDict();
      current_language python: web_site.getPortalObject().Localizer.get_selected_language();
      global_definitions_macros here/global_definitions/macros;
-      include_document python: web_section.isSiteMapDocumentParent() and ((here.getRelativeUrl() == web_section.getRelativeUrl()) or request.get('is_web_section_default_document', False));">
+      include_document python: web_section.isSiteMapDocumentParent() and ((here.getRelativeUrl() == web_section.getRelativeUrl()) or request.get('is_web_section_default_document', False));
+      content_security_policy python: web_section.WebSection_generateContentSecurityPolicy(no_style_gadget_url);">
  <tal:block tal:condition="python: is_unexpected_reference_access">
    <tal:block metal:use-macro="context/error_main/macros/master">
      <metal:slot metal:fill-slot="main" i18n:domain="erp5_ui">
@@ -47,7 +48,7 @@
 <!DOCTYPE html>
 <html tal:attributes="lang current_language">
  <head>
-  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://www.youtube-nocookie.com/embed/" />
+  <meta http-equiv="Content-Security-Policy" tal:attributes="content content_security_policy"/>
  <meta name="referrer" content="same-origin">
  <meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" />
  <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />

--- a/bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleContentSecurityPolicy.xml
+++ b/bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleContentSecurityPolicy.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ZopePageTemplate" module="Products.PageTemplates.ZopePageTemplate"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>content_type</string> </key>
+            <value> <string>text/html</string> </value>
+        </item>
+        <item>
+            <key> <string>expand</string> </key>
+            <value> <int>0</int> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>testJsStyleContentSecurityPolicy</string> </value>
+        </item>
+        <item>
+            <key> <string>output_encoding</string> </key>
+            <value> <string>utf-8</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <unicode></unicode> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleContentSecurityPolicy.zpt
+++ b/bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleContentSecurityPolicy.zpt
+<html xmlns:tal="http://xml.zope.org/namespaces/tal"
+      xmlns:metal="http://xml.zope.org/namespaces/metal">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Test JS Style No Style</title>
+</head>
+<body>
+<table cellpadding="1" cellspacing="1" border="1">
+<thead>
+<tr><td rowspan="1" colspan="3">Test JS Style No Style</td></tr>
+</thead><tbody>
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/init" />
+
+<tr>
+  <td colspan="3"><b>No javascript allowed if no style defined</b></td>
+</tr>
+<tr>
+  <td>open</td>
+  <td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=nostyle</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertTextPresent</td>
+  <td>Web Site created.</td>
+  <td></td>
+</tr>
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
+<tr>
+  <td>open</td>
+  <td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; script-src 'none'"]</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>open</td>
+  <td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=nostyleform</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertTextPresent</td>
+  <td>Web Site created.</td>
+  <td></td>
+</tr>
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
+<tr>
+  <td>open</td>
+  <td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; script-src 'none'"]</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td colspan="3"><b>Javascript allowed if no style defined and youtube iframe</b></td>
+</tr>
+<tr>
+  <td>open</td>
+  <td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=section</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertTextPresent</td>
+  <td>Web Site created.</td>
+  <td></td>
+</tr>
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
+<tr>
+  <td>open</td>
+  <td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>open</td>
+  <td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=form</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertTextPresent</td>
+  <td>Web Site created.</td>
+  <td></td>
+</tr>
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
+<tr>
+  <td>open</td>
+  <td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td colspan="3"><b>No javascript allowed in case of error</b></td>
+</tr>
+<tr>
+  <td>open</td>
+  <td>${base_url}/web_site_module/erp5_web_js_style_test_site/WebSite_raiseNotImplementedError</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; script-src 'none'"]</td>
+  <td></td>
+</tr>
+
+</tbody></table>
+</body>
+</html>
\ No newline at end of file