Add frame-src to Piwik plugin as * may be overwritten
Change-Id: I39023b8d662c0130e216d419d83aa076f4b7aa02
diff --git a/Changes b/Changes
index 86f0be8..bfe102f 100755
--- a/Changes
+++ b/Changes
@@ -32,6 +32,8 @@
to simplify asset configuration in proxy servers.
- Fix working directory for plugin configuration.
- Make mailto: embedding CSP compliant.
+ - Add frame-src to Piwik plugin as '*' may be
+ overwritten.
0.40 2020-12-17
- Modernize ES and fix in-loops.
diff --git a/lib/Kalamar/Plugin/Piwik.pm b/lib/Kalamar/Plugin/Piwik.pm
index e1612f9..70687ed 100644
--- a/lib/Kalamar/Plugin/Piwik.pm
+++ b/lib/Kalamar/Plugin/Piwik.pm
@@ -60,10 +60,9 @@
);
# Add tracking code as <script/> instead of inline
-
- $mojo->csp->add('script-src' => $url);
- $mojo->csp->add('connect-src' => $url);
- $mojo->csp->add('img-src' => $url);
+ foreach (qw!script connect img frame!) {
+ $mojo->csp->add("$_-src" => $url);
+ };
# Set track script for CSP compliant tracking
$mojo->routes->any('/settings/assets/tracking.js')->piwik('track_script');
diff --git a/t/plugin/piwik.t b/t/plugin/piwik.t
index cb4ba9d..13667d7 100644
--- a/t/plugin/piwik.t
+++ b/t/plugin/piwik.t
@@ -48,7 +48,8 @@
->content_unlike(qr!_paq!)
->header_like('Content-Security-Policy',qr!connect-src 'self' [^;]*?https://piwik\.korap\.ids-mannheim\.de/!)
->header_like('Content-Security-Policy',qr!img-src 'self' [^;]*?https://piwik\.korap\.ids-mannheim\.de/!)
- ->header_like('Content-Security-Policy',qr!script-src 'self' [^;]*?https://piwik.korap.ids-mannheim.de/!)
+ ->header_like('Content-Security-Policy',qr!script-src 'self' [^;]*?https://piwik\.korap\.ids-mannheim\.de/!)
+ ->header_like('Content-Security-Policy',qr!frame-src [^;]*?(?:\*|https://piwik\.korap\.ids-mannheim\.de/)!)
;
$t->get_ok('/settings/assets/tracking.js')