Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
erp5
Commits
b0013fa3
Commit
b0013fa3
authored
Feb 16, 2023
by
Romain Courteaud
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
erp5_web_js_style: configure the accepted iframe list on the web site
parent
9352f3b1
Changes
5
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
320 additions
and
5 deletions
+320
-5
bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style/WebSection_viewJsstylePreference.xml
...ns/erp5_web_js_style/WebSection_viewJsstylePreference.xml
+3
-1
bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style/WebSection_viewJsstylePreference/my_configuration_iframe_url_text.xml
...iewJsstylePreference/my_configuration_iframe_url_text.xml
+280
-0
bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateContentSecurityPolicy.py
...b_js_style_ui/WebSection_generateContentSecurityPolicy.py
+4
-1
bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleContentSecurityPolicy.zpt
...tests/js_style_zuite/testJsStyleContentSecurityPolicy.zpt
+28
-3
bt5/erp5_web_js_style_test/SkinTemplateItem/portal_skins/erp5_web_js_style_test/ERP5Site_createWebJSStyleZuiteTestData.py
...b_js_style_test/ERP5Site_createWebJSStyleZuiteTestData.py
+5
-0
No files found.
bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style/WebSection_viewJsstylePreference.xml
View file @
b0013fa3
...
...
@@ -76,7 +76,9 @@
<item>
<key>
<string>
center
</string>
</key>
<value>
<list/>
<list>
<string>
my_configuration_iframe_url_text
</string>
</list>
</value>
</item>
<item>
...
...
bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style/WebSection_viewJsstylePreference/my_configuration_iframe_url_text.xml
0 → 100644
View file @
b0013fa3
This diff is collapsed.
Click to expand it.
bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateContentSecurityPolicy.py
View file @
b0013fa3
content_security_policy
=
"default-src 'self'; img-src 'self' data:"
if
no_style_gadget_url
:
content_security_policy
+=
"; frame-src 'self' https://www.youtube-nocookie.com/embed/"
web_section
=
context
iframe_url_list
=
[
x
.
strip
()
for
x
in
web_section
.
getLayoutProperty
(
'configuration_iframe_url_text'
,
default
=
''
).
split
(
'
\
n
'
)
if
x
.
strip
()]
if
iframe_url_list
:
content_security_policy
=
"%s; frame-src 'self' %s"
%
(
content_security_policy
,
' '
.
join
(
iframe_url_list
))
else
:
# If not rendering gadget, fully disable javascript
# as nothing is expected
...
...
bt5/erp5_web_js_style_test/PathTemplateItem/portal_tests/js_style_zuite/testJsStyleContentSecurityPolicy.zpt
View file @
b0013fa3
...
...
@@ -59,7 +59,7 @@
</tr>
<tr>
<td
colspan=
"3"
><b>
Javascript allowed if
no
style defined and youtube iframe
</b></td>
<td
colspan=
"3"
><b>
Javascript allowed if style defined and youtube iframe
</b></td>
</tr>
<tr>
<td>
open
</td>
...
...
@@ -79,7 +79,7 @@
</tr>
<tr>
<td>
assertElementPresent
</td>
<td>
//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:
; frame-src 'self' https://www.youtube-nocookie.com/embed/
"]
</td>
<td>
//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]
</td>
<td></td>
</tr>
...
...
@@ -101,7 +101,7 @@
</tr>
<tr>
<td>
assertElementPresent
</td>
<td>
//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:
; frame-src 'self' https://www.youtube-nocookie.com/embed/
"]
</td>
<td>
//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:"]
</td>
<td></td>
</tr>
...
...
@@ -119,6 +119,31 @@
<td></td>
</tr>
<tr>
<td
colspan=
"3"
><b>
Javascript allowed if style defined and accepted iframe list
</b></td>
</tr>
<tr>
<td>
open
</td>
<td>
${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=iframe
</td>
<td></td>
</tr>
<tr>
<td>
assertTextPresent
</td>
<td>
Web Site created.
</td>
<td></td>
</tr>
<tal:block
metal:use-macro=
"here/Zuite_CommonTemplate/macros/wait_for_activities"
/>
<tr>
<td>
open
</td>
<td>
${base_url}/web_site_module/erp5_web_js_style_test_site/
</td>
<td></td>
</tr>
<tr>
<td>
assertElementPresent
</td>
<td>
//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; img-src 'self' data:; frame-src 'self' https://example.org/foo https://example.org/bar"]
</td>
<td></td>
</tr>
</tbody></table>
</body>
</html>
\ No newline at end of file
bt5/erp5_web_js_style_test/SkinTemplateItem/portal_skins/erp5_web_js_style_test/ERP5Site_createWebJSStyleZuiteTestData.py
View file @
b0013fa3
...
...
@@ -194,6 +194,11 @@ configuration_dict = {
'title'
:
"Demo Style"
,
'site_map_section_parent'
:
True
},
'iframe'
:
{
'configuration_style_gadget_url'
:
"jsstyle_demo.html"
,
'configuration_iframe_url_text'
:
"https://example.org/foo
\
n
https://example.org/bar
\
n
\
n
"
,
'title'
:
"Demo Style with iframe"
},
'not_loading'
:
{
'configuration_style_gadget_url'
:
"jsstyle_demo_not_loading.html"
,
'title'
:
"Not Loading Style"
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment