erp5_web_renderjs_ui: add the Content-Security-Policy configuration in the HTML page too

This will allow to propagate the CSP configuration on officejs.com

erp5_web_renderjs_ui: add the Content-Security-Policy configuration in the HTML page too
This will allow to propagate the CSP configuration on officejs.com
68baa37c · Romain Courteaud · d303ca49 · 68baa37c · 68baa37c · 68baa37c
Commit 68baa37c authored Apr 21, 2022 by Romain Courteaud
3 changed files
--- a/bt5/erp5_web_renderjs_ui/PathTemplateItem/web_page_module/rjs_gadget_erp5_launcher_html.html
+++ b/bt5/erp5_web_renderjs_ui/PathTemplateItem/web_page_module/rjs_gadget_erp5_launcher_html.html
@@ -2,6 +2,7 @@
 <html ${manifest_attribute}>
  <head>
    <meta charset="utf-8">
+    <meta http-equiv="Content-Security-Policy" content="${content_security_policy}" />
    <meta name="google" content="notranslate">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="shortcut icon" href="${icon_url}">

--- a/bt5/erp5_web_renderjs_ui/PathTemplateItem/web_page_module/rjs_gadget_erp5_launcher_html.xml
+++ b/bt5/erp5_web_renderjs_ui/PathTemplateItem/web_page_module/rjs_gadget_erp5_launcher_html.xml
@@ -240,7 +240,7 @@
                  </item>
                  <item>
                      <key> <string>serial</string> </key>
-                      <value> <string>988.54689.43253.59187</string> </value>
+                      <value> <string>999.45838.25715.22579</string> </value>
                  </item>
                  <item>
                      <key> <string>state</string> </key>
@@ -258,7 +258,7 @@
                          </tuple>
                          <state>
                            <tuple>
-                              <float>1609513682.22</float>
+                              <float>1650536641.08</float>
                              <string>UTC</string>
                            </tuple>
                          </state>

--- a/bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebPage_viewAsWeb.py
+++ b/bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebPage_viewAsWeb.py
@@ -46,15 +46,16 @@ elif (portal_type == "Web Manifest"):
  response.setHeader('Content-Type', 'text/cache-manifest; charset=utf-8')

 else:
-  if (mapping_dict is not None):
-    web_content = web_page.TextDocument_substituteTextContent(web_content, mapping_dict=mapping_dict)
-
  content_security_policy = "default-src 'self' data: blob:"
  x_frame_options = "SAMEORIGIN"
  if (web_section):
-    content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy)
+    content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy).replace('"', "'")
    x_frame_options = web_section.getLayoutProperty("configuration_x_frame_options", default=x_frame_options)

+  if (mapping_dict is not None):
+    mapping_dict['content_security_policy'] = content_security_policy
+    web_content = web_page.TextDocument_substituteTextContent(web_content, mapping_dict=mapping_dict)
+
  # Do not allow to put inside an iframe
  if not x_frame_options == "ALLOW-FROM-ALL":
    response.setHeader("X-Frame-Options", x_frame_options)