Commit 5eba1cb7 authored by iv's avatar iv

OfficeJS: Add CSP configuration option.

parent 26c65447
......@@ -351,6 +351,16 @@
<value> <string>string</string> </value>
</item>
</dictionary>
<dictionary>
<item>
<key> <string>id</string> </key>
<value> <string>configuration_content_security_policy</string> </value>
</item>
<item>
<key> <string>type</string> </key>
<value> <string>string</string> </value>
</item>
</dictionary>
</tuple>
</value>
</item>
......@@ -392,6 +402,10 @@
<key> <string>configuration_application_title</string> </key>
<value> <string>Text Editor</string> </value>
</item>
<item>
<key> <string>configuration_content_security_policy</string> </key>
<value> <string>default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' https://localhost:5000 mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:</string> </value>
</item>
<item>
<key> <string>configuration_default_view_action_reference</string> </key>
<value>
......@@ -721,7 +735,7 @@
</item>
<item>
<key> <string>serial</string> </key>
<value> <string>946.4378.53544.28347</string> </value>
<value> <string>947.57052.16419.11059</string> </value>
</item>
<item>
<key> <string>state</string> </key>
......@@ -739,7 +753,7 @@
</tuple>
<state>
<tuple>
<float>1446730078.39</float>
<float>1450452633.63</float>
<string>UTC</string>
</tuple>
</state>
......
......@@ -178,6 +178,16 @@
<value> <string>string</string> </value>
</item>
</dictionary>
<dictionary>
<item>
<key> <string>id</string> </key>
<value> <string>configuration_content_security_policy</string> </value>
</item>
<item>
<key> <string>type</string> </key>
<value> <string>string</string> </value>
</item>
</dictionary>
</tuple>
</value>
</item>
......@@ -193,6 +203,12 @@
<none/>
</value>
</item>
<item>
<key> <string>configuration_content_security_policy</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>configuration_frontpage_gadget_url</string> </key>
<value>
......@@ -414,7 +430,7 @@
</item>
<item>
<key> <string>actor</string> </key>
<value> <string>cedric.le.ninivin</string> </value>
<value> <string>zope</string> </value>
</item>
<item>
<key> <string>comment</string> </key>
......@@ -428,7 +444,7 @@
</item>
<item>
<key> <string>serial</string> </key>
<value> <string>945.58601.10119.52531</string> </value>
<value> <string>947.56939.21991.31146</string> </value>
</item>
<item>
<key> <string>state</string> </key>
......@@ -446,7 +462,7 @@
</tuple>
<state>
<tuple>
<float>1443112993.68</float>
<float>1450449679.31</float>
<string>UTC</string>
</tuple>
</state>
......
......@@ -56,6 +56,7 @@ if response is None:\n
response = REQUEST.RESPONSE\n
\n
web_page = context\n
web_section = REQUEST.get("current_web_section")\n
\n
if REQUEST.getHeader(\'If-Modified-Since\', \'\') == web_page.getModificationDate().rfc822():\n
response.setStatus(304)\n
......@@ -77,12 +78,17 @@ elif (portal_type == "Web Manifest"):\n
else:\n
if (mapping_dict is not None):\n
web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n
\n
content_security_policy = "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' data:; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\' data:; frame-src \'self\' data:"\n
if (web_section):\n
content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy)\n
\n
# Do not allow to put inside an iframe\n
response.setHeader("X-Frame-Options", "SAMEORIGIN")\n
response.setHeader("X-Content-Type-Options", "nosniff")\n
\n
# Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n
response.setHeader("Content-Security-Policy", "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:")\n
response.setHeader("Content-Security-Policy", content_security_policy)\n
\n
response.setHeader(\'Content-Type\', \'text/html\')\n
\n
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment