Skip to content

Commit

Permalink
New panel.frameAncestors option
Browse files Browse the repository at this point in the history
  • Loading branch information
@lukasbestle @afbora
lukasbestle authored and afbora committed Aug 8, 2023
1 parent 4672b84 commit ff571a1
Show file tree
Hide file tree
Showing 2 changed files with 102 additions and 1 deletion.
10 changes: 9 additions & 1 deletion src/Panel/Document.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,8 +270,16 @@ public static function response(array $fiber): Response
'panelUrl' => $uri->path()->toString(true) . '/',
]);

$frameAncestors = $kirby->option('panel.frameAncestors');
$frameAncestors = match (true) {
$frameAncestors === true => "'self'",
is_array($frameAncestors) => "'self' " . implode(' ', $frameAncestors),
is_string($frameAncestors) => $frameAncestors,
default => "'none'"
};

return new Response($body, 'text/html', $code, [
'Content-Security-Policy' => "frame-ancestors 'none'"
'Content-Security-Policy' => 'frame-ancestors ' . $frameAncestors
]);
}
}
93 changes: 93 additions & 0 deletions tests/Panel/DocumentTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -358,4 +358,97 @@ public function testResponse(): void
$this->assertSame("frame-ancestors 'none'", $response->header('Content-Security-Policy'));
$this->assertNotNull($response->body());
}

/**
* @covers ::response
*/
public function testResponseFrameAncestorsSelf(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => true
]
]
]);

// create panel dist files first to avoid redirect
Document::link($this->app);

// get panel response
$response = Document::response([
'test' => 'Test'
]);

$this->assertInstanceOf(Response::class, $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame("frame-ancestors 'self'", $response->header('Content-Security-Policy'));
$this->assertNotNull($response->body());
}

/**
* @covers ::response
*/
public function testResponseFrameAncestorsArray(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => ['*.example.com', 'https://example.com']
]
]
]);

// create panel dist files first to avoid redirect
Document::link($this->app);

// get panel response
$response = Document::response([
'test' => 'Test'
]);

$this->assertInstanceOf(Response::class, $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame(
"frame-ancestors 'self' *.example.com https://example.com",
$response->header('Content-Security-Policy')
);
$this->assertNotNull($response->body());
}

/**
* @covers ::response
*/
public function testResponseFrameAncestorsString(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => '*.example.com https://example.com'
]
]
]);

// create panel dist files first to avoid redirect
Document::link($this->app);

// get panel response
$response = Document::response([
'test' => 'Test'
]);

$this->assertInstanceOf(Response::class, $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame(
'frame-ancestors *.example.com https://example.com',
$response->header('Content-Security-Policy')
);
$this->assertNotNull($response->body());
}
}

0 comments on commit ff571a1

Please sign in to comment.