Merge pull request #612 from TakwimuAfrica/fix/cors_use_same_origin-1…

…68169159 Enable same-origin for HURUmap & Flourish Viz
TakwimuAfrica · Sep 12, 2019 · f2b39e4 · f2b39e4
2 parents cb1d7a8 + b25a4f1
commit f2b39e4
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 6 deletions.
diff --git a/takwimu/takwimu_ui/src/components/DataContainer/HurumapDataContainer.js b/takwimu/takwimu_ui/src/components/DataContainer/HurumapDataContainer.js
@@ -64,9 +64,11 @@ function DataContainer({ id, data, theme, countryName }) {
     data.data_stat_type
   }&chartSourceLink=${data.data_source_link}&chartSourceTitle=${
     data.data_source_title
-  }&chartQualifier=${data.chart_qualifier
-    .replace('<br/>', '%0A')
-    .replace(/<(.|\n)*?>/g, '')}&stylesheet=/static/css/embedchart.css"
+  }&chartQualifier=${
+    data.chart_qualifier
+      ? data.chart_qualifier.replace('<br/>', '%0A').replace(/<(.|\n)*?>/g, '')
+      : ''
+  }&stylesheet=/static/css/embedchart.css"
 />`;
 
   return (

diff --git a/takwimu/takwimu_ui/src/components/DataContainer/IFrame.js b/takwimu/takwimu_ui/src/components/DataContainer/IFrame.js
@@ -92,8 +92,8 @@ function IFrame({ id, classes, data }) {
     chartSourceLink: data.data_source_link,
     chartSourceTitle: data.data_source_title,
     chartQualifier: data.chart_qualifier
-      .replace(/<br[ /]*>/g, '\n')
-      .replace(/<[^>]*>/g, '')
+      ? data.chart_qualifier.replace(/<br[ /]*>/g, '\n').replace(/<[^>]*>/g, '')
+      : ''
   };
   const queryString = Object.keys(params)
     .map(k => `${encodeURIComponent(k)}=${encodeURIComponent(params[k])}`)

diff --git a/takwimu/takwimu_ui/src/index.js b/takwimu/takwimu_ui/src/index.js
@@ -162,3 +162,6 @@ renderSearchResultsPage();
 renderLegalPage();
 render500Page();
 render404Page();
+
+// Same-origin policy
+document.domain = new URL(PROPS.takwimu.url).hostname;
diff --git a/takwimu/templates/settings_js.html b/takwimu/templates/settings_js.html
@@ -5,4 +5,7 @@
   {{ block.super }}
 
   var STATIC_PREFIX = '{% get_static_prefix %}';
+
+  // Same-origin policy for embeds
+  document.domain = new URL(SITE_URL).hostname;
 {% endblock settings_javascript %}
diff --git a/takwimu/views.py b/takwimu/views.py
@@ -7,6 +7,8 @@
 from wsgiref.util import FileWrapper
 
 import requests
+import bs4
+
 from django.conf import settings as takwimu_settings
 from django.core.serializers.json import DjangoJSONEncoder
 from django.shortcuts import get_object_or_404, render
@@ -365,8 +367,18 @@ def get(self, request, *args, **kwargs):
         file_path = zip_ref.extract(member, "/tmp/" + kwargs["document_id"])
         zip_ref.close()
         mode, content_type = ('r', 'text')
-        if not member.split('/')[-1].endswith( ('html', 'css', 'txt', 'svg')):
+        if not member.split('/')[-1].endswith(('html', 'css', 'txt', 'svg')):
             mode, content_type = ('rb', 'media/*')
+
+        if member == 'index.html':
+            soup = bs4.BeautifulSoup(open(file_path).read())
+            # Same-origin policy
+            script_tag = soup.new_tag("script", type="text/javascript")
+            script_tag.append(
+                'document.domain = new URL("{}").hostname;'.format(takwimu_settings.HURUMAP['url'])
+            )
+            soup.head.append(script_tag)
+            return Response(str(soup))
         return Response(open(file_path).read())