Commit 298ef0f3 authored by Romain Courteaud's avatar Romain Courteaud Committed by Xiaowu Zhang

erp5_web_js_style: add CSP/feature/referer policy tags

Use CSP to improve protection against XSS and improve user privacy.

No javascript is supposed to be executed on the error page.
parent bdf23784
...@@ -27,6 +27,9 @@ ...@@ -27,6 +27,9 @@
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
<meta name="referrer" content="same-origin">
<meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" />
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
<meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" /> <meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" />
<title tal:content="python: here.getTranslatedTitle() or web_section.getTranslatedTitle()"></title> <title tal:content="python: here.getTranslatedTitle() or web_section.getTranslatedTitle()"></title>
......
...@@ -19,6 +19,8 @@ ...@@ -19,6 +19,8 @@
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'none'" />
<meta name="referrer" content="same-origin">
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
<meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" /> <meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" />
<title tal:content="python: web_section.getTranslatedTitle()"></title> <title tal:content="python: web_section.getTranslatedTitle()"></title>
......
...@@ -27,6 +27,9 @@ ...@@ -27,6 +27,9 @@
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
<meta name="referrer" content="same-origin">
<meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" />
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
<meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" /> <meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" />
<title tal:content="python: here.getTranslatedTitle() or web_section.getTranslatedTitle()"></title> <title tal:content="python: here.getTranslatedTitle() or web_section.getTranslatedTitle()"></title>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment