Commit 298ef0f3 authored by Romain Courteaud's avatar Romain Courteaud Committed by Xiaowu Zhang

erp5_web_js_style: add CSP/feature/referer policy tags

Use CSP to improve protection against XSS and improve user privacy.

No javascript is supposed to be executed on the error page.
parent bdf23784
...@@ -27,6 +27,9 @@ ...@@ -27,6 +27,9 @@
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
<meta name="referrer" content="same-origin">
<meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" />
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
<meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" /> <meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" />
<title tal:content="python: here.getTranslatedTitle() or web_section.getTranslatedTitle()"></title> <title tal:content="python: here.getTranslatedTitle() or web_section.getTranslatedTitle()"></title>
......
...@@ -19,6 +19,8 @@ ...@@ -19,6 +19,8 @@
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'none'" />
<meta name="referrer" content="same-origin">
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
<meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" /> <meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" />
<title tal:content="python: web_section.getTranslatedTitle()"></title> <title tal:content="python: web_section.getTranslatedTitle()"></title>
...@@ -29,8 +31,8 @@ ...@@ -29,8 +31,8 @@
<link rel="stylesheet" tal:attributes="href no_style_css_url"> <link rel="stylesheet" tal:attributes="href no_style_css_url">
</head> </head>
<body> <body>
<tal:block tal:content="structure python: web_section.WebSection_generateNavigationHTML()"></tal:block> <tal:block tal:content="structure python: web_section.WebSection_generateNavigationHTML()"></tal:block>
<main><tal:block metal:define-slot="main"/></main> <main><tal:block metal:define-slot="main"/></main>
</body> </body>
</html> </html>
</tal:block> </tal:block>
......
...@@ -27,6 +27,9 @@ ...@@ -27,6 +27,9 @@
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
<meta name="referrer" content="same-origin">
<meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" />
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
<meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" /> <meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" />
<title tal:content="python: here.getTranslatedTitle() or web_section.getTranslatedTitle()"></title> <title tal:content="python: here.getTranslatedTitle() or web_section.getTranslatedTitle()"></title>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment