Upgrade to master

CONST_CHANGELOG.txt

@@ -14,12 +14,13 @@ Information
 
 1. Hostname check:
    We add a hostname check on the `came_from` parameter, in the oauth2 login, allowed by
-   `vars.authentication.allowed_hosts` and in the OGC server clear cache, allowed by `vars.allowed_hosts`.
-   The behavior change a little bit in the `shortener.allowed_hosts` and in the `authorized_referers`.
+   `vars.authentication.allowed_hosts` and in the OGC server clear cache, allowed by `vars.admin_interface.allowed_hosts`.
+   The behavior change a little bit in the `vars.shortener.allowed_hosts` and in the `vars.authorized_referers`.
    Now everywhere:
    - If the hostname (with port) of the candidate URL equals to the request's header "Host", then it's OK.
    - If the hostname (with port) of the candidate URL is in the allowed list, then it's OK.
    And they should be netloc (hostname with port) without schema or path.
+   The `vars.allowed_hosts` is added to allowed only some authorized host.
 
 2. We replace checks (formatting) done by `c2cciutils` by `pre-commit` hooks.
    This will me more standard and transparent for the project.

CONST_create_template/geoportal/vars.yaml

@@ -265,6 +265,10 @@ vars:
       Sincerely yours
       The GeoMapFish team
 
+  allowed_hosts:
+    # TODO: Add the allowed hosts for the application (themes and dynamic.json)
+    - localhost:8484
+
   # Checker configuration
   checker:
     fulltextsearch:
@@ -403,7 +407,6 @@ update_paths:
   - interfaces_theme
   - resourceproxy
   - servers
-  - shortener.allowed_hosts
   - smtp
   - sqlalchemy
   - sqlalchemy_slave

geoportal/CONST_config-schema.yaml

@@ -205,6 +205,10 @@ mapping:
           oauth2_token_expire_minutes:
             type: scalar
             required: false
+          allowed_hosts:
+            type: seq
+            sequence:
+              - type: str
           openid_connect:
             type: map
             required: false
@@ -256,10 +260,17 @@ mapping:
             type: seq
             sequence:
               - type: str
+
       authorized_referers:
         type: seq
         sequence:
           - type: str
+
+      allowed_hosts:
+        type: seq
+        sequence:
+          - type: str
+
       global_headers:
         type: seq
         sequence:

geoportal/CONST_vars.yaml

@@ -1072,10 +1072,9 @@ vars:
     'self'
     {content_security_policy_c2c_default_src_extra}"
   content_security_policy_c2c_script_src: "
-    'self'
+    'unsafe-inline'
     {content_security_policy_c2c_script_src_extra}"
   content_security_policy_c2c_style_src: "
-    'self'
     'unsafe-inline'
     https://cdnjs.cloudflare.com/
     {content_security_policy_c2c_style_src_extra}"
@@ -1110,15 +1109,12 @@ vars:
         Access-Control-Allow-Origin: '*'
         Access-Control-Allow-Headers: X-Requested-With, Content-Type
     - pattern: '^/c2c$'
-      headers:
+      headers: &c2c_headers
         Content-Security-Policy: 'default-src {content_security_policy_c2c_default_src};
           script-src {content_security_policy_c2c_script_src};
           style-src {content_security_policy_c2c_style_src};'
     - pattern: '^/c2c/.*'
-      headers:
-        Content-Security-Policy: 'default-src {content_security_policy_c2c_default_src};
-          script-src {content_security_policy_c2c_script_src};
-          style-src {content_security_policy_c2c_style_src};'
+      headers: *c2c_headers
     - pattern: '^/iframe_api(/theme/.*)?$'
       headers:
         Content-Security-Policy: 'default-src {content_security_policy_main_default_src};

geoportal/vars.yaml

@@ -776,6 +776,10 @@ vars:
   servers:
     wmts: '{WMTS_URL}'
 
+  allowed_hosts:
+    # TODO: Add the allowed hosts for the application (themes and dynamic.json)
+    - localhost:8484
+
   # Checker configuration
   checker_ogc_server: Main PNG
   checker:
@@ -960,7 +964,6 @@ update_paths:
   - interfaces_theme
   - resourceproxy
   - servers
-  - shortener.allowed_hosts
   - smtp
   - sqlalchemy
   - sqlalchemy_slave