Skip to content

Commit

Permalink
New panel.frameAncestors option
Browse files Browse the repository at this point in the history
  • Loading branch information
lukasbestle authored and afbora committed Aug 9, 2023
1 parent 5f1311f commit 6a59030
Show file tree
Hide file tree
Showing 2 changed files with 105 additions and 1 deletion.
13 changes: 12 additions & 1 deletion src/Panel/Document.php
Original file line number Diff line number Diff line change
Expand Up @@ -291,8 +291,19 @@ public static function response(array $fiber)
'panelUrl' => $uri->path()->toString(true) . '/',
]);

$frameAncestorsOption = $kirby->option('panel.frameAncestors');
if ($frameAncestorsOption === true) {
$frameAncestors = "'self'";
} elseif (is_array($frameAncestorsOption)) {
$frameAncestors = "'self' " . implode(' ', $frameAncestorsOption);
} elseif (is_string($frameAncestorsOption)) {
$frameAncestors = $frameAncestorsOption;
} else {
$frameAncestors = "'none'";
}

return new Response($body, 'text/html', $code, [
'Content-Security-Policy' => "frame-ancestors 'none'"
'Content-Security-Policy' => 'frame-ancestors ' . $frameAncestors
]);
}
}
93 changes: 93 additions & 0 deletions tests/Panel/DocumentTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -356,4 +356,97 @@ public function testResponse(): void
$this->assertSame("frame-ancestors 'none'", $response->header('Content-Security-Policy'));
$this->assertNotNull($response->body());
}

/**
* @covers ::response
*/
public function testResponseFrameAncestorsSelf(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => true
]
]
]);

// create panel dist files first to avoid redirect
Document::link($this->app);

// get panel response
$response = Document::response([
'test' => 'Test'
]);

$this->assertInstanceOf('\Kirby\Http\Response', $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame("frame-ancestors 'self'", $response->header('Content-Security-Policy'));
$this->assertNotNull($response->body());
}

/**
* @covers ::response
*/
public function testResponseFrameAncestorsArray(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => ['*.example.com', 'https://example.com']
]
]
]);

// create panel dist files first to avoid redirect
Document::link($this->app);

// get panel response
$response = Document::response([
'test' => 'Test'
]);

$this->assertInstanceOf('\Kirby\Http\Response', $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame(
"frame-ancestors 'self' *.example.com https://example.com",
$response->header('Content-Security-Policy')
);
$this->assertNotNull($response->body());
}

/**
* @covers ::response
*/
public function testResponseFrameAncestorsString(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => '*.example.com https://example.com'
]
]
]);

// create panel dist files first to avoid redirect
Document::link($this->app);

// get panel response
$response = Document::response([
'test' => 'Test'
]);

$this->assertInstanceOf('\Kirby\Http\Response', $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame(
'frame-ancestors *.example.com https://example.com',
$response->header('Content-Security-Policy')
);
$this->assertNotNull($response->body());
}
}

0 comments on commit 6a59030

Please sign in to comment.