Skip to content

Commit

Permalink
New panel.frameAncestors option
Browse files Browse the repository at this point in the history
  • Loading branch information
@afbora
afbora committed Aug 9, 2023
1 parent b9ac70d commit cd04488
Show file tree
Hide file tree
Showing 2 changed files with 102 additions and 1 deletion.
13 changes: 12 additions & 1 deletion src/Cms/Panel.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,8 +134,19 @@ public static function render(App $kirby)
]
]);

$frameAncestorsOption = $kirby->option('panel.frameAncestors');
if ($frameAncestorsOption === true) {
$frameAncestors = "'self'";
} elseif (is_array($frameAncestorsOption)) {
$frameAncestors = "'self' " . implode(' ', $frameAncestorsOption);
} elseif (is_string($frameAncestorsOption)) {
$frameAncestors = $frameAncestorsOption;
} else {
$frameAncestors = "'none'";
}

return new Response($view->render(), 'text/html', 200, [
'Content-Security-Policy' => "frame-ancestors 'none'"
'Content-Security-Policy' => 'frame-ancestors ' . $frameAncestors
]);
}
}
90 changes: 90 additions & 0 deletions tests/Cms/Panel/PanelTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@
use Kirby\Toolkit\F;
use PHPUnit\Framework\TestCase;

/**
* @coversDefaultClass \Kirby\Cms\Panel
*/
class PanelTest extends TestCase
{
protected $app;
Expand Down Expand Up @@ -90,4 +93,91 @@ public function testRender(): void
// clear session file
$this->app->session()->destroy();
}

/**
* @covers ::render
*/
public function testResponseFrameAncestorsSelf(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => true
]
]
]);

// create panel dist files first to avoid redirect
Panel::link($this->app);

// get panel response
$response = Panel::render($this->app);

$this->assertInstanceOf(Response::class, $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame("frame-ancestors 'self'", $response->header('Content-Security-Policy'));
$this->assertNotNull($response->body());
}

/**
* @covers ::render
*/
public function testResponseFrameAncestorsArray(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => ['*.example.com', 'https://example.com']
]
]
]);

// create panel dist files first to avoid redirect
Panel::link($this->app);

// get panel response
$response = Panel::render($this->app);

$this->assertInstanceOf(Response::class, $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame(
"frame-ancestors 'self' *.example.com https://example.com",
$response->header('Content-Security-Policy')
);
$this->assertNotNull($response->body());
}

/**
* @covers ::render
*/
public function testResponseFrameAncestorsString(): void
{
$this->app = $this->app->clone([
'options' => [
'panel' => [
'frameAncestors' => '*.example.com https://example.com'
]
]
]);

// create panel dist files first to avoid redirect
Panel::link($this->app);

// get panel response
$response = Panel::render($this->app);

$this->assertInstanceOf(Response::class, $response);
$this->assertSame(200, $response->code());
$this->assertSame('text/html', $response->type());
$this->assertSame('UTF-8', $response->charset());
$this->assertSame(
'frame-ancestors *.example.com https://example.com',
$response->header('Content-Security-Policy')
);
$this->assertNotNull($response->body());
}
}

0 comments on commit cd04488

Please sign in to comment.