Issue #617: Serve content from Sandbox resource

3 files changed, 74 insertions, 0 deletions

diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py
index 86435d89..109dc08e 100644
--- a/service/pixelated/resources/root_resource.py
+++ b/service/pixelated/resources/root_resource.py
@@ -20,6 +20,7 @@ from string import Template
 
 from pixelated.resources import BaseResource, UnAuthorizedResource
 from pixelated.resources.attachments_resource import AttachmentsResource
+from pixelated.resources.sandbox_resource import SandboxResource
 from pixelated.resources.contacts_resource import ContactsResource
 from pixelated.resources.features_resource import FeaturesResource
 from pixelated.resources.feedback_resource import FeedbackResource
@@ -75,6 +76,7 @@ class RootResource(BaseResource):
         return csrf_input and csrf_input == xsrf_token
 
     def initialize(self, portal=None, disclaimer_banner=None):
+        self._child_resources.add('sandbox', SandboxResource(self._static_folder))
         self._child_resources.add('assets', File(self._static_folder))
         self._child_resources.add('keys', KeysResource(self._services_factory))
         self._child_resources.add(AttachmentsResource.BASE_URL, AttachmentsResource(self._services_factory))
diff --git a/service/pixelated/resources/sandbox_resource.py b/service/pixelated/resources/sandbox_resource.py
new file mode 100644
index 00000000..28e8c9be
--- /dev/null
+++ b/service/pixelated/resources/sandbox_resource.py
@@ -0,0 +1,34 @@
+#
+# Copyright (c) 2016 ThoughtWorks, Inc.
+#
+# Pixelated is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Pixelated is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
+
+from twisted.web.static import File
+
+
+class SandboxResource(File):
+    CSP_HEADER_VALUES = "sandbox allow-popups allow-scripts;" \
+                        "default-src 'self';" \
+                        "style-src *;" \
+                        "script-src  *;" \
+                        "font-src *;" \
+                        "img-src *;" \
+                        "object-src 'none';" \
+                        "connect-src 'none';"
+
+    def render_GET(self, request):
+        request.setHeader('Content-Security-Policy', self.CSP_HEADER_VALUES)
+        request.setHeader('X-Content-Security-Policy', self.CSP_HEADER_VALUES)
+        request.setHeader('X-Webkit-CSP', self.CSP_HEADER_VALUES)
+        return super(SandboxResource, self).render_GET(request)
diff --git a/service/test/unit/resources/test_sandbox_resource.py b/service/test/unit/resources/test_sandbox_resource.py
new file mode 100644
index 00000000..3db43e12
--- /dev/null
+++ b/service/test/unit/resources/test_sandbox_resource.py
@@ -0,0 +1,38 @@
+import os
+import unittest
+
+from twisted.internet import defer
+from twisted.web.test.requesthelper import DummyRequest
+
+from pixelated.resources.sandbox_resource import SandboxResource
+from test.unit.resources import DummySite
+
+
+class TestSandBoxResource(unittest.TestCase):
+    def setUp(self):
+        static_folder = os.path.dirname(os.path.abspath(__file__))
+        self.resource = SandboxResource(static_folder)
+        self.resource.isLeaf = True
+        self.web = DummySite(self.resource)
+
+    @defer.inlineCallbacks
+    def test_render_GET_should_set_sandbox_csp_header(self):
+        request = DummyRequest(['/sandbox'])
+        request.method = 'GET'
+        request.isSecure = lambda: True
+        request.redirect = lambda _: 'irrelevant'
+
+        expected_csp_headers = "sandbox allow-popups allow-scripts;" \
+                               "default-src 'self';" \
+                               "style-src *;" \
+                               "script-src  *;" \
+                               "font-src *;" \
+                               "img-src *;" \
+                               "object-src 'none';" \
+                               "connect-src 'none';"
+
+        yield self.web.get(request)
+
+        self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('X-Content-Security-Policy'.lower()))
+        self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('Content-Security-Policy'.lower()))
+        self.assertEquals(expected_csp_headers, request.outgoingHeaders.get('X-Webkit-CSP'.lower()))