OfficeJS: Add CSP configuration option.

bt5/erp5_officejs/PathTemplateItem/web_site_module/officejs_text_editor.xml

@@ -351,6 +351,16 @@
                       <value> <string>string</string> </value>
                   </item>
                 </dictionary>
+                <dictionary>
+                  <item>
+                      <key> <string>id</string> </key>
+                      <value> <string>configuration_content_security_policy</string> </value>
+                  </item>
+                  <item>
+                      <key> <string>type</string> </key>
+                      <value> <string>string</string> </value>
+                  </item>
+                </dictionary>
               </tuple>
             </value>
         </item>
@@ -392,6 +402,10 @@
             <key> <string>configuration_application_title</string> </key>
             <value> <string>Text Editor</string> </value>
         </item>
+        <item>
+            <key> <string>configuration_content_security_policy</string> </key>
+            <value> <string>default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' https://localhost:5000 mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:</string> </value>
+        </item>
         <item>
             <key> <string>configuration_default_view_action_reference</string> </key>
             <value>
@@ -721,7 +735,7 @@
             </item>
             <item>
                 <key> <string>serial</string> </key>
-                <value> <string>946.4378.53544.28347</string> </value>
+                <value> <string>947.57052.16419.11059</string> </value>
             </item>
             <item>
                 <key> <string>state</string> </key>
@@ -739,7 +753,7 @@
                     </tuple>
                     <state>
                       <tuple>
-                        <float>1446730078.39</float>
+                        <float>1450452633.63</float>
                         <string>UTC</string>
                       </tuple>
                     </state>

bt5/erp5_officejs/PathTemplateItem/web_site_module/officejs_text_editor/hateoas.xml

@@ -178,6 +178,16 @@
                       <value> <string>string</string> </value>
                   </item>
                 </dictionary>
+                <dictionary>
+                  <item>
+                      <key> <string>id</string> </key>
+                      <value> <string>configuration_content_security_policy</string> </value>
+                  </item>
+                  <item>
+                      <key> <string>type</string> </key>
+                      <value> <string>string</string> </value>
+                  </item>
+                </dictionary>
               </tuple>
             </value>
         </item>
@@ -193,6 +203,12 @@
               <none/>
             </value>
         </item>
+        <item>
+            <key> <string>configuration_content_security_policy</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
         <item>
             <key> <string>configuration_frontpage_gadget_url</string> </key>
             <value>
@@ -414,7 +430,7 @@
             </item>
             <item>
                 <key> <string>actor</string> </key>
-                <value> <string>cedric.le.ninivin</string> </value>
+                <value> <string>zope</string> </value>
             </item>
             <item>
                 <key> <string>comment</string> </key>
@@ -428,7 +444,7 @@
             </item>
             <item>
                 <key> <string>serial</string> </key>
-                <value> <string>945.58601.10119.52531</string> </value>
+                <value> <string>947.56939.21991.31146</string> </value>
             </item>
             <item>
                 <key> <string>state</string> </key>
@@ -446,7 +462,7 @@
                     </tuple>
                     <state>
                       <tuple>
-                        <float>1443112993.68</float>
+                        <float>1450449679.31</float>
                         <string>UTC</string>
                       </tuple>
                     </state>

bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebPage_viewAsWeb.xml

@@ -56,6 +56,7 @@ if response is None:\n
   response = REQUEST.RESPONSE\n
 \n
 web_page = context\n
+web_section = REQUEST.get("current_web_section")\n
 \n
 if REQUEST.getHeader(\'If-Modified-Since\', \'\') == web_page.getModificationDate().rfc822():\n
   response.setStatus(304)\n
@@ -77,12 +78,17 @@ elif (portal_type == "Web Manifest"):\n
 else:\n
   if (mapping_dict is not None):\n
     web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n
+\n
+  content_security_policy = "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' data:; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\' data:; frame-src \'self\' data:"\n
+  if (web_section):\n
+    content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy)\n
+\n
   # Do not allow to put inside an iframe\n
   response.setHeader("X-Frame-Options", "SAMEORIGIN")\n
   response.setHeader("X-Content-Type-Options", "nosniff")\n
 \n
   # Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n
-  response.setHeader("Content-Security-Policy", "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:")\n
+  response.setHeader("Content-Security-Policy", content_security_policy)\n
 \n
   response.setHeader(\'Content-Type\', \'text/html\')\n
 \n