From 5bc54d35382fb73a530e1b5ae69d722425a94426 Mon Sep 17 00:00:00 2001 From: Ahmet Bora Date: Tue, 8 Aug 2023 17:55:39 +0300 Subject: [PATCH] New `panel.frameAncestors` option --- src/Cms/Panel.php | 13 ++++- tests/Cms/Panel/PanelTest.php | 90 +++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+), 1 deletion(-) diff --git a/src/Cms/Panel.php b/src/Cms/Panel.php index 5f29623517..75fe7f62f3 100644 --- a/src/Cms/Panel.php +++ b/src/Cms/Panel.php @@ -134,8 +134,19 @@ public static function render(App $kirby) ] ]); + $frameAncestorsOption = $kirby->option('panel.frameAncestors'); + if ($frameAncestorsOption === true) { + $frameAncestors = "'self'"; + } elseif (is_array($frameAncestorsOption)) { + $frameAncestors = "'self' " . implode(' ', $frameAncestorsOption); + } elseif (is_string($frameAncestorsOption)) { + $frameAncestors = $frameAncestorsOption; + } else { + $frameAncestors = "'none'"; + } + return new Response($view->render(), 'text/html', 200, [ - 'Content-Security-Policy' => "frame-ancestors 'none'" + 'Content-Security-Policy' => 'frame-ancestors ' . $frameAncestors ]); } } diff --git a/tests/Cms/Panel/PanelTest.php b/tests/Cms/Panel/PanelTest.php index c4995aaba2..eb675e5308 100644 --- a/tests/Cms/Panel/PanelTest.php +++ b/tests/Cms/Panel/PanelTest.php @@ -6,6 +6,9 @@ use Kirby\Toolkit\F; use PHPUnit\Framework\TestCase; +/** + * @coversDefaultClass \Kirby\Cms\Panel + */ class PanelTest extends TestCase { protected $app; @@ -90,4 +93,91 @@ public function testRender(): void // clear session file $this->app->session()->destroy(); } + + /** + * @covers ::render + */ + public function testResponseFrameAncestorsSelf(): void + { + $this->app = $this->app->clone([ + 'options' => [ + 'panel' => [ + 'frameAncestors' => true + ] + ] + ]); + + // create panel dist files first to avoid redirect + Panel::link($this->app); + + // get panel response + $response = Panel::render($this->app); + + $this->assertInstanceOf('\Kirby\Http\Response', $response); + $this->assertSame(200, $response->code()); + $this->assertSame('text/html', $response->type()); + $this->assertSame('UTF-8', $response->charset()); + $this->assertSame("frame-ancestors 'self'", $response->header('Content-Security-Policy')); + $this->assertNotNull($response->body()); + } + + /** + * @covers ::render + */ + public function testResponseFrameAncestorsArray(): void + { + $this->app = $this->app->clone([ + 'options' => [ + 'panel' => [ + 'frameAncestors' => ['*.example.com', 'https://example.com'] + ] + ] + ]); + + // create panel dist files first to avoid redirect + Panel::link($this->app); + + // get panel response + $response = Panel::render($this->app); + + $this->assertInstanceOf('\Kirby\Http\Response', $response); + $this->assertSame(200, $response->code()); + $this->assertSame('text/html', $response->type()); + $this->assertSame('UTF-8', $response->charset()); + $this->assertSame( + "frame-ancestors 'self' *.example.com https://example.com", + $response->header('Content-Security-Policy') + ); + $this->assertNotNull($response->body()); + } + + /** + * @covers ::render + */ + public function testResponseFrameAncestorsString(): void + { + $this->app = $this->app->clone([ + 'options' => [ + 'panel' => [ + 'frameAncestors' => '*.example.com https://example.com' + ] + ] + ]); + + // create panel dist files first to avoid redirect + Panel::link($this->app); + + // get panel response + $response = Panel::render($this->app); + + $this->assertInstanceOf('\Kirby\Http\Response', $response); + $this->assertSame(200, $response->code()); + $this->assertSame('text/html', $response->type()); + $this->assertSame('UTF-8', $response->charset()); + $this->assertSame( + 'frame-ancestors *.example.com https://example.com', + $response->header('Content-Security-Policy') + ); + $this->assertNotNull($response->body()); + } }