diff --git a/phpgwapi/inc/class.egw_framework.inc.php b/phpgwapi/inc/class.egw_framework.inc.php index 952a85512a..fc972a6969 100644 --- a/phpgwapi/inc/class.egw_framework.inc.php +++ b/phpgwapi/inc/class.egw_framework.inc.php @@ -122,6 +122,16 @@ abstract class egw_framework return implode(' ', self::$csp_script_src_attrs); } + /** + * Query additional CSP frame-src from current app + * + * @return array + */ + protected function _get_csp_frame_src() + { + return $GLOBALS['egw']->hooks->single('csp-frame-src', $GLOBALS['egw_info']['flags']['currentapp']); + } + /** * Send HTTP headers: Content-Type and Content-Security-Policy */ @@ -135,7 +145,11 @@ abstract class egw_framework // - "connect-src 'self'" allows ajax requests only to self // - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need // - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org - $csp = "script-src 'self' ".($script_attrs=self::csp_script_src_attrs())."; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' manual.egroupware.org"; + $frame_src = array("'self'", 'manual.egroupware.org'); + if (($additional = $this->_get_csp_frame_src())) $frame_src = array_merge($frame_src, $additional); + + $csp = "script-src 'self' ".($script_attrs=self::csp_script_src_attrs()). + "; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src ".implode(' ', $frame_src); //error_log(__METHOD__."() script_attrs=$script_attrs"); //$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything header("Content-Security-Policy: $csp"); diff --git a/phpgwapi/js/jsapi/egw.js b/phpgwapi/js/jsapi/egw.js index 30b61eefaa..794c5bfe4e 100644 --- a/phpgwapi/js/jsapi/egw.js +++ b/phpgwapi/js/jsapi/egw.js @@ -200,7 +200,7 @@ } // set sidebox for tabed templates - var sidebox = egw_script.getAttribute('data-setSidebox'); + var sidebox = egw_script.getAttribute('data-setSidebox') || jQuery('#late-sidebox').attr('data-setSidebox'); if (window.framework && sidebox) { window.framework.setSidebox.apply(window.framework, JSON.parse(sidebox));