Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Browse Source

Maintenance: Improved CSP configuration and form preview.

Martin Gruner 2 years ago
parent
c0389f5893
commit
030e89a396
5 changed files with 19 additions and 15 deletions
Split View Show Diff Stats
  1. 0 1
      app/assets/javascripts/app/views/channel/form.jst.eco
  2. 12 2
      app/views/layouts/application.html.erb
  3. 1 1
      config/initializers/content_security_policy.rb
  4. 5 0
      doc/developer_manual/standards/how-to-handle-localization.md
  5. 1 11
      spec/support/time_helper.rb

+ 0 - 1
app/assets/javascripts/app/views/channel/form.jst.eco
View File 

@@ -140,7 +140,6 @@
 
         <div class="browser-website centered vertical fit">
 
           <div class="btn js-formBtn"><%- @T('Feedback') %></div>
 
           <div class="js-formInline browser-inline-form"></div>
 
-          <script id="zammad_form_script" src="/assets/form/form.js"></script>
 
         </div>
 
       </div>
 
     </div>

+ 12 - 2
app/views/layouts/application.html.erb
View File 

@@ -9,10 +9,20 @@
 
   <%= stylesheet_link_tag "application", :media => 'all' %>
 
   <%= stylesheet_link_tag "application-print", :media => 'print' %>
 
   <% if Rails.configuration.assets.debug %>
 
-  <%= javascript_include_tag "application", nonce: true %>
 
+    <%= javascript_include_tag "application", nonce: true %>
 
   <% else %>
 
-  <%= javascript_include_tag "application", nonce: true, :defer => 'defer' %>
 
+    <%= javascript_include_tag "application", nonce: true, :defer => 'defer' %>
 
   <% end %>
 
+
 
+  <%# Statically include external files with a nonce here to conform to CSP properly. %>
 
+  <%# Required by form channel configuration preview. %>
 
+  <%= javascript_include_tag "../assets/form/form.js", nonce: true, :defer => 'defer', :skip_pipeline => true, :id => "zammad_form_script"  %>
 
+
 
+  <%# Required for browser time mocking in tests. %>
 
+  <% if Rails.env.test? %>
 
+    <%= javascript_include_tag "../assets/tests/sinon-9.2.4.js", nonce: true, :skip_pipeline => true, :id => "zammad_form_script"  %>
 
+  <% end %>
 
+
 
   <%= csrf_meta_tags %>
 
 </head>
 
 <body>

+ 1 - 1
config/initializers/content_security_policy.rb
View File 

@@ -45,7 +45,7 @@ Rails.application.config.content_security_policy do |policy|
 
   policy.font_src    :self, :data
 
   policy.img_src     '*', :data
 
   policy.object_src  :none
 
-  policy.script_src  :self, :unsafe_eval, :strict_dynamic
 
+  policy.script_src  :self, :unsafe_eval
 
   policy.style_src   :self, :unsafe_inline
 
   policy.frame_src   'www.youtube.com', 'player.vimeo.com'

+ 5 - 0
doc/developer_manual/standards/how-to-handle-localization.md
View File 

@@ -24,6 +24,11 @@ The Zammad chat currently has its own build pipeline and also a custom translati
 
 Messages and translations are directly baked into [chat.coffee](../public/assets/chat/chat.coffee) and have to be maintained
 
 there.
 
 
+### Zammad Forms Channel - `public/assets/form/form.js`
 
+
 
+Messages and translations are directly baked into [form.js](../public/assets/form/form.js) and have to be maintained
 
+there.
 
+
 
 ## Zammad Notification Templates - `app/views/mailer/*`
 
 
 Zammad contains a number of different notification templates which are currently stored directly in language-specific `ERB`

+ 1 - 11
spec/support/time_helper.rb
View File 

@@ -28,17 +28,7 @@ module TimeHelperCache
 
   # Similar to #travel_to, but fakes browser (frontend) time.
 
   # Useful when testing time that is generated in frontend
 
   def browser_travel_to(time)
 
-    execute_script <<~JAVASCRIPT
 
-      // load sinon if it's not already loaded
 
-      if(typeof sinon == 'undefined') {
 
-        var script = document.createElement( 'script' );
 
-        script.type = 'text/javascript';
 
-        script.src = '/assets/tests/sinon-9.2.4.js';
 
-        $('head').append( script );
 
-      }
 
-
 
-      window.clock = sinon.useFakeTimers({now: new Date(#{time.to_i * 1_000}), toFake: ['Date']})
 
-    JAVASCRIPT
 
+    execute_script "window.clock = sinon.useFakeTimers({now: new Date(#{time.to_i * 1_000}), toFake: ['Date']})"
 
   end
 
 end