Commit b0013fa3 authored by Romain Courteaud's avatar Romain Courteaud

erp5_web_js_style: configure the accepted iframe list on the web site

parent 9352f3b1
......@@ -76,7 +76,9 @@
<item>
<key> <string>center</string> </key>
<value>
<list/>
<list>
<string>my_configuration_iframe_url_text</string>
</list>
</value>
</item>
<item>
......
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="TextAreaField" module="Products.Formulator.StandardFields"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>id</string> </key>
<value> <string>my_configuration_iframe_url_text</string> </value>
</item>
<item>
<key> <string>message_values</string> </key>
<value>
<dictionary>
<item>
<key> <string>external_validator_failed</string> </key>
<value> <string>The input failed the external validator.</string> </value>
</item>
<item>
<key> <string>line_too_long</string> </key>
<value> <string>A line was too long.</string> </value>
</item>
<item>
<key> <string>required_not_found</string> </key>
<value> <string>Input is required but no input given.</string> </value>
</item>
<item>
<key> <string>too_long</string> </key>
<value> <string>You entered too many characters.</string> </value>
</item>
<item>
<key> <string>too_many_lines</string> </key>
<value> <string>You entered too many lines.</string> </value>
</item>
</dictionary>
</value>
</item>
<item>
<key> <string>overrides</string> </key>
<value>
<dictionary>
<item>
<key> <string>alternate_name</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>css_class</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>default</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>description</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>editable</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>enabled</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>external_validator</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>extra</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>height</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>hidden</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>max_length</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>max_linelength</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>max_lines</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>required</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>unicode</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>whitespace_preserve</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>width</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</value>
</item>
<item>
<key> <string>tales</string> </key>
<value>
<dictionary>
<item>
<key> <string>alternate_name</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>css_class</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>default</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>description</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>editable</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>enabled</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>external_validator</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>extra</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>height</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>hidden</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>max_length</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>max_linelength</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>max_lines</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>required</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>unicode</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>whitespace_preserve</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>width</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</value>
</item>
<item>
<key> <string>values</string> </key>
<value>
<dictionary>
<item>
<key> <string>alternate_name</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>css_class</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>default</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>description</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>editable</string> </key>
<value> <int>1</int> </value>
</item>
<item>
<key> <string>enabled</string> </key>
<value> <int>1</int> </value>
</item>
<item>
<key> <string>external_validator</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>extra</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>height</string> </key>
<value> <int>5</int> </value>
</item>
<item>
<key> <string>hidden</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>max_length</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>max_linelength</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>max_lines</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>required</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string>Allowed Iframe URL</string> </value>
</item>
<item>
<key> <string>unicode</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>whitespace_preserve</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>width</string> </key>
<value> <int>40</int> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
content_security_policy = "default-src 'self'; img-src 'self' data:"
if no_style_gadget_url:
content_security_policy += "; frame-src 'self' https://www.youtube-nocookie.com/embed/"
web_section = context
iframe_url_list = [x.strip() for x in web_section.getLayoutProperty('configuration_iframe_url_text', default='').split('\n') if x.strip()]
if iframe_url_list:
content_security_policy = "%s; frame-src 'self' %s" % (content_security_policy, ' '.join(iframe_url_list))
else:
# If not rendering gadget, fully disable javascript
# as nothing is expected
......
......@@ -59,7 +59,7 @@
</tr>
<tr>
<td colspan="3"><b>Javascript allowed if no style defined and youtube iframe</b></td>
<td colspan="3"><b>Javascript allowed if style defined and youtube iframe</b></td>
</tr>
<tr>
<td>open</td>
......@@ -79,7 +79,7 @@
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]</td>
<td></td>
</tr>
......@@ -101,7 +101,7 @@
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]</td>
<td></td>
</tr>
......@@ -119,6 +119,31 @@
<td></td>
</tr>
<tr>
<td colspan="3"><b>Javascript allowed if style defined and accepted iframe list</b></td>
</tr>
<tr>
<td>open</td>
<td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=iframe</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Web Site created.</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://example.org/foo https://example.org/bar"]</td>
<td></td>
</tr>
</tbody></table>
</body>
</html>
\ No newline at end of file
......@@ -194,6 +194,11 @@ configuration_dict = {
'title': "Demo Style",
'site_map_section_parent': True
},
'iframe': {
'configuration_style_gadget_url': "jsstyle_demo.html",
'configuration_iframe_url_text': "https://example.org/foo\nhttps://example.org/bar\n \n",
'title': "Demo Style with iframe"
},
'not_loading': {
'configuration_style_gadget_url': "jsstyle_demo_not_loading.html",
'title': "Not Loading Style",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment