Commit 0c3b0435 authored by Romain Courteaud's avatar Romain Courteaud

erp5_web_js_style: factorise content security policy value

parent 0a8b9dd7
content_security_policy = "default-src 'self'"
if no_style_gadget_url:
content_security_policy += "; frame-src 'self' https://www.youtube-nocookie.com/embed/"
else:
# If not rendering gadget, fully disable javascript
# as nothing is expected
content_security_policy += "; script-src 'none'"
return content_security_policy
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>no_style_gadget_url</string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>WebSection_generateContentSecurityPolicy</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
...@@ -22,12 +22,13 @@ ...@@ -22,12 +22,13 @@
keyword_list python: web_section.getSubjectList(); keyword_list python: web_section.getSubjectList();
og_locale_dict python: web_site.WebSite_getOgLocaleDict(); og_locale_dict python: web_site.WebSite_getOgLocaleDict();
current_language python: web_site.getPortalObject().Localizer.get_selected_language(); current_language python: web_site.getPortalObject().Localizer.get_selected_language();
global_definitions_macros here/global_definitions/macros;"> global_definitions_macros here/global_definitions/macros;
content_security_policy python: web_section.WebSection_generateContentSecurityPolicy(no_style_gadget_url);">
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<!DOCTYPE html> <!DOCTYPE html>
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://www.youtube-nocookie.com/embed/" /> <meta http-equiv="Content-Security-Policy" tal:attributes="content content_security_policy"/>
<meta name="referrer" content="same-origin"> <meta name="referrer" content="same-origin">
<meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" /> <meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" />
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
......
...@@ -14,12 +14,13 @@ ...@@ -14,12 +14,13 @@
favicon_url python: web_section.WebSection_generateLayoutPropertyUrl('configuration_favicon_url'); favicon_url python: web_section.WebSection_generateLayoutPropertyUrl('configuration_favicon_url');
og_locale_dict python: web_site.WebSite_getOgLocaleDict(); og_locale_dict python: web_site.WebSite_getOgLocaleDict();
current_language python: web_site.getPortalObject().Localizer.get_selected_language(); current_language python: web_site.getPortalObject().Localizer.get_selected_language();
global_definitions_macros here/global_definitions/macros;"> global_definitions_macros here/global_definitions/macros;
content_security_policy python: web_section.WebSection_generateContentSecurityPolicy('');">
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<!DOCTYPE html> <!DOCTYPE html>
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'none'" /> <meta http-equiv="Content-Security-Policy" tal:attributes="content content_security_policy"/>
<meta name="referrer" content="same-origin"> <meta name="referrer" content="same-origin">
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
<meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" /> <meta name="viewport" content="width=device-width,height=device-height,initial-scale=1" />
......
...@@ -24,7 +24,8 @@ ...@@ -24,7 +24,8 @@
og_locale_dict python: web_site.WebSite_getOgLocaleDict(); og_locale_dict python: web_site.WebSite_getOgLocaleDict();
current_language python: web_site.getPortalObject().Localizer.get_selected_language(); current_language python: web_site.getPortalObject().Localizer.get_selected_language();
global_definitions_macros here/global_definitions/macros; global_definitions_macros here/global_definitions/macros;
include_document python: web_section.isSiteMapDocumentParent() and ((here.getRelativeUrl() == web_section.getRelativeUrl()) or request.get('is_web_section_default_document', False));"> include_document python: web_section.isSiteMapDocumentParent() and ((here.getRelativeUrl() == web_section.getRelativeUrl()) or request.get('is_web_section_default_document', False));
content_security_policy python: web_section.WebSection_generateContentSecurityPolicy(no_style_gadget_url);">
<tal:block tal:condition="python: is_unexpected_reference_access"> <tal:block tal:condition="python: is_unexpected_reference_access">
<tal:block metal:use-macro="context/error_main/macros/master"> <tal:block metal:use-macro="context/error_main/macros/master">
<metal:slot metal:fill-slot="main" i18n:domain="erp5_ui"> <metal:slot metal:fill-slot="main" i18n:domain="erp5_ui">
...@@ -47,7 +48,7 @@ ...@@ -47,7 +48,7 @@
<!DOCTYPE html> <!DOCTYPE html>
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
<head> <head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://www.youtube-nocookie.com/embed/" /> <meta http-equiv="Content-Security-Policy" tal:attributes="content content_security_policy"/>
<meta name="referrer" content="same-origin"> <meta name="referrer" content="same-origin">
<meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" /> <meta http-equiv="Feature-Policy" content="accelerometer 'none'; ambient-light-sensor 'none'; autoplay: 'none'; battery: 'none'; camera: 'none'; display-capture: 'none'; document-domain: 'none'; encrypted-media: 'none'; geolocation: 'none'; gyroscope: 'none'; magnetometer: 'none'; microphone: 'none'; payment: 'none'; usb: 'none'" />
<base tal:attributes="href python: '%s/' % web_section.absolute_url()" /> <base tal:attributes="href python: '%s/' % web_section.absolute_url()" />
......
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="ZopePageTemplate" module="Products.PageTemplates.ZopePageTemplate"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>content_type</string> </key>
<value> <string>text/html</string> </value>
</item>
<item>
<key> <string>expand</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>testJsStyleContentSecurityPolicy</string> </value>
</item>
<item>
<key> <string>output_encoding</string> </key>
<value> <string>utf-8</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <unicode></unicode> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<html xmlns:tal="http://xml.zope.org/namespaces/tal"
xmlns:metal="http://xml.zope.org/namespaces/metal">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Test JS Style No Style</title>
</head>
<body>
<table cellpadding="1" cellspacing="1" border="1">
<thead>
<tr><td rowspan="1" colspan="3">Test JS Style No Style</td></tr>
</thead><tbody>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/init" />
<tr>
<td colspan="3"><b>No javascript allowed if no style defined</b></td>
</tr>
<tr>
<td>open</td>
<td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=nostyle</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Web Site created.</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; script-src 'none'"]</td>
<td></td>
</tr>
<tr>
<td>open</td>
<td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=nostyleform</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Web Site created.</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; script-src 'none'"]</td>
<td></td>
</tr>
<tr>
<td colspan="3"><b>Javascript allowed if no style defined and youtube iframe</b></td>
</tr>
<tr>
<td>open</td>
<td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=section</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Web Site created.</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
<td></td>
</tr>
<tr>
<td>open</td>
<td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=form</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Web Site created.</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; frame-src 'self' https://www.youtube-nocookie.com/embed/"]</td>
<td></td>
</tr>
<tr>
<td colspan="3"><b>No javascript allowed in case of error</b></td>
</tr>
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/WebSite_raiseNotImplementedError</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/meta[@http-equiv='Content-Security-Policy' and @content="default-src 'self'; script-src 'none'"]</td>
<td></td>
</tr>
</tbody></table>
</body>
</html>
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment