erp5_web_js_style: configure the accepted iframe list on the web site

bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style/WebSection_viewJsstylePreference.xml

@@ -76,7 +76,9 @@
                 <item>
                     <key> <string>center</string> </key>
                     <value>
-                      <list/>
+                      <list>
+                        <string>my_configuration_iframe_url_text</string>
+                      </list>
                     </value>
                 </item>
                 <item>

bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateContentSecurityPolicy.py

 content_security_policy = "default-src 'self'; img-src 'self' data:"
 
 if no_style_gadget_url:
-  content_security_policy += "; frame-src 'self' https://www.youtube-nocookie.com/embed/"
+  web_section = context
+  iframe_url_list = [x.strip() for x in web_section.getLayoutProperty('configuration_iframe_url_text', default='').split('\n') if x.strip()]
+  if iframe_url_list:
+    content_security_policy = "%s; frame-src 'self' %s" % (content_security_policy, ' '.join(iframe_url_list))
 else:
   # If not rendering gadget, fully disable javascript
   # as nothing is expected

bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleContentSecurityPolicy.zpt

@@ -59,7 +59,7 @@
 </tr>
 
 <tr>
-  <td colspan="3"><b>Javascript allowed if no style defined and youtube iframe</b></td>
+  <td colspan="3"><b>Javascript allowed if style defined and youtube iframe</b></td>
 </tr>
 <tr>
   <td>open</td>
@@ -79,7 +79,7 @@
 </tr>
 <tr>
   <td>assertElementPresent</td>
-  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
+  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]</td>
   <td></td>
 </tr>
 
@@ -101,7 +101,7 @@
 </tr>
 <tr>
   <td>assertElementPresent</td>
-  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
+  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]</td>
   <td></td>
 </tr>
 
@@ -119,6 +119,31 @@
   <td></td>
 </tr>
 
+<tr>
+  <td colspan="3"><b>Javascript allowed if style defined and accepted iframe list</b></td>
+</tr>
+<tr>
+  <td>open</td>
+  <td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=iframe</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertTextPresent</td>
+  <td>Web Site created.</td>
+  <td></td>
+</tr>
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
+<tr>
+  <td>open</td>
+  <td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertElementPresent</td>
+  <td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://example.org/foo https://example.org/bar"]</td>
+  <td></td>
+</tr>
+
 </tbody></table>
 </body>
 </html>
\ No newline at end of file

bt5/erp5_web_js_style_test/SkinTemplateItem/portal_skins/erp5_web_js_style_test/ERP5Site_createWebJSStyleZuiteTestData.py

@@ -194,6 +194,11 @@ configuration_dict = {
     'title': "Demo Style",
     'site_map_section_parent': True
   },
+  'iframe': {
+    'configuration_style_gadget_url': "jsstyle_demo.html",
+    'configuration_iframe_url_text': "https://example.org/foo\nhttps://example.org/bar\n \n",
+    'title': "Demo Style with iframe"
+  },
   'not_loading': {
     'configuration_style_gadget_url': "jsstyle_demo_not_loading.html",
     'title': "Not Loading Style",