Commit 5eba1cb7 authored by iv's avatar iv

OfficeJS: Add CSP configuration option.

parent 26c65447
...@@ -351,6 +351,16 @@ ...@@ -351,6 +351,16 @@
<value> <string>string</string> </value> <value> <string>string</string> </value>
</item> </item>
</dictionary> </dictionary>
<dictionary>
<item>
<key> <string>id</string> </key>
<value> <string>configuration_content_security_policy</string> </value>
</item>
<item>
<key> <string>type</string> </key>
<value> <string>string</string> </value>
</item>
</dictionary>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -392,6 +402,10 @@ ...@@ -392,6 +402,10 @@
<key> <string>configuration_application_title</string> </key> <key> <string>configuration_application_title</string> </key>
<value> <string>Text Editor</string> </value> <value> <string>Text Editor</string> </value>
</item> </item>
<item>
<key> <string>configuration_content_security_policy</string> </key>
<value> <string>default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' https://localhost:5000 mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:</string> </value>
</item>
<item> <item>
<key> <string>configuration_default_view_action_reference</string> </key> <key> <string>configuration_default_view_action_reference</string> </key>
<value> <value>
...@@ -721,7 +735,7 @@ ...@@ -721,7 +735,7 @@
</item> </item>
<item> <item>
<key> <string>serial</string> </key> <key> <string>serial</string> </key>
<value> <string>946.4378.53544.28347</string> </value> <value> <string>947.57052.16419.11059</string> </value>
</item> </item>
<item> <item>
<key> <string>state</string> </key> <key> <string>state</string> </key>
...@@ -739,7 +753,7 @@ ...@@ -739,7 +753,7 @@
</tuple> </tuple>
<state> <state>
<tuple> <tuple>
<float>1446730078.39</float> <float>1450452633.63</float>
<string>UTC</string> <string>UTC</string>
</tuple> </tuple>
</state> </state>
......
...@@ -178,6 +178,16 @@ ...@@ -178,6 +178,16 @@
<value> <string>string</string> </value> <value> <string>string</string> </value>
</item> </item>
</dictionary> </dictionary>
<dictionary>
<item>
<key> <string>id</string> </key>
<value> <string>configuration_content_security_policy</string> </value>
</item>
<item>
<key> <string>type</string> </key>
<value> <string>string</string> </value>
</item>
</dictionary>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -193,6 +203,12 @@ ...@@ -193,6 +203,12 @@
<none/> <none/>
</value> </value>
</item> </item>
<item>
<key> <string>configuration_content_security_policy</string> </key>
<value>
<none/>
</value>
</item>
<item> <item>
<key> <string>configuration_frontpage_gadget_url</string> </key> <key> <string>configuration_frontpage_gadget_url</string> </key>
<value> <value>
...@@ -414,7 +430,7 @@ ...@@ -414,7 +430,7 @@
</item> </item>
<item> <item>
<key> <string>actor</string> </key> <key> <string>actor</string> </key>
<value> <string>cedric.le.ninivin</string> </value> <value> <string>zope</string> </value>
</item> </item>
<item> <item>
<key> <string>comment</string> </key> <key> <string>comment</string> </key>
...@@ -428,7 +444,7 @@ ...@@ -428,7 +444,7 @@
</item> </item>
<item> <item>
<key> <string>serial</string> </key> <key> <string>serial</string> </key>
<value> <string>945.58601.10119.52531</string> </value> <value> <string>947.56939.21991.31146</string> </value>
</item> </item>
<item> <item>
<key> <string>state</string> </key> <key> <string>state</string> </key>
...@@ -446,7 +462,7 @@ ...@@ -446,7 +462,7 @@
</tuple> </tuple>
<state> <state>
<tuple> <tuple>
<float>1443112993.68</float> <float>1450449679.31</float>
<string>UTC</string> <string>UTC</string>
</tuple> </tuple>
</state> </state>
......
...@@ -56,6 +56,7 @@ if response is None:\n ...@@ -56,6 +56,7 @@ if response is None:\n
response = REQUEST.RESPONSE\n response = REQUEST.RESPONSE\n
\n \n
web_page = context\n web_page = context\n
web_section = REQUEST.get("current_web_section")\n
\n \n
if REQUEST.getHeader(\'If-Modified-Since\', \'\') == web_page.getModificationDate().rfc822():\n if REQUEST.getHeader(\'If-Modified-Since\', \'\') == web_page.getModificationDate().rfc822():\n
response.setStatus(304)\n response.setStatus(304)\n
...@@ -77,12 +78,17 @@ elif (portal_type == "Web Manifest"):\n ...@@ -77,12 +78,17 @@ elif (portal_type == "Web Manifest"):\n
else:\n else:\n
if (mapping_dict is not None):\n if (mapping_dict is not None):\n
web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n web_content = web_page.TextDocument_substituteTextContent(web_page, web_content, mapping_dict=mapping_dict)\n
\n
content_security_policy = "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' data:; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\' data:; frame-src \'self\' data:"\n
if (web_section):\n
content_security_policy = web_section.getLayoutProperty("configuration_content_security_policy", default=content_security_policy)\n
\n
# Do not allow to put inside an iframe\n # Do not allow to put inside an iframe\n
response.setHeader("X-Frame-Options", "SAMEORIGIN")\n response.setHeader("X-Frame-Options", "SAMEORIGIN")\n
response.setHeader("X-Content-Type-Options", "nosniff")\n response.setHeader("X-Content-Type-Options", "nosniff")\n
\n \n
# Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n # Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n
response.setHeader("Content-Security-Policy", "default-src \'none\'; img-src \'self\' data:; media-src \'self\' blob:; connect-src \'self\' mail.tiolive.com data:; script-src \'self\' \'unsafe-eval\'; font-src netdna.bootstrapcdn.com; style-src \'self\' netdna.bootstrapcdn.com \'unsafe-inline\' data:; frame-src \'self\' data:")\n response.setHeader("Content-Security-Policy", content_security_policy)\n
\n \n
response.setHeader(\'Content-Type\', \'text/html\')\n response.setHeader(\'Content-Type\', \'text/html\')\n
\n \n
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment