From b4ed7e14696abe8fc5656b6f01e9072dc4b14890 Mon Sep 17 00:00:00 2001 From: Elwin Schmitz Date: Wed, 15 Jan 2025 16:42:42 +0100 Subject: [PATCH] feat: Allow control of pop-ups from iframes in Twilio Flex in config-builder AB#32724 --- .../_build-deployment-configuration.mjs | 14 ++++++++++++-- .../_test-deployment-configuration.mjs | 13 +++++++++++++ .../_verify-deployment-configuration.mjs | 13 +++++++++++++ 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/interfaces/Portalicious/_build-deployment-configuration.mjs b/interfaces/Portalicious/_build-deployment-configuration.mjs index 60539a17b2..6797edf5f2 100644 --- a/interfaces/Portalicious/_build-deployment-configuration.mjs +++ b/interfaces/Portalicious/_build-deployment-configuration.mjs @@ -32,7 +32,6 @@ if (!swaConfig.globalHeaders) { // NOTE: All values in each array are written as template-strings, as the use of single-quotes around some values (i.e. 'self') is mandatory and will affect the working of the HTTP-Header. let contentSecurityPolicy = new Map([ ['default-src', [`'self'`]], - ['disown-opener', []], ['connect-src', [`'self'`]], ['frame-ancestors', [`'self'`]], ['frame-src', [`blob:`, `'self'`]], @@ -41,7 +40,6 @@ let contentSecurityPolicy = new Map([ ['referrer', [`no-referrer`]], ['reflected-xss', [`block`]], ['style-src', [`'self'`, `'unsafe-inline'`]], - ['upgrade-insecure-requests', []], ]); // Set API-origin @@ -94,6 +92,18 @@ if (process.env.USE_IN_TWILIO_FLEX_IFRAME === 'true') { ]); } +if ( + process.env.USE_SSO_AZURE_ENTRA === 'true' && + process.env.USE_IN_TWILIO_FLEX_IFRAME === 'true' +) { + console.info( + '✅ Allow control of pop-ups for SSO when the Portal is in an iframe on Twilio Flex', + ); + + swaConfig.globalHeaders['Cross-Origin-Opener-Policy'] = + 'same-origin-allow-popups'; +} + // Feature: PowerBI Dashboard(s) if (process.env.USE_POWERBI_DASHBOARDS === 'true') { console.info('✅ Allow loading Power BI-dashboards'); diff --git a/interfaces/Portalicious/_test-deployment-configuration.mjs b/interfaces/Portalicious/_test-deployment-configuration.mjs index 6f917da690..33b6ba5410 100644 --- a/interfaces/Portalicious/_test-deployment-configuration.mjs +++ b/interfaces/Portalicious/_test-deployment-configuration.mjs @@ -55,6 +55,19 @@ test('Content-Security-Policy configuration for loading as iframe in Twilio Flex } }); +test('Configuration to control pop-ups for SSO when the Portal is in an iframe on Twilio Flex', () => { + const openerPolicy = swaConfig.globalHeaders['Cross-Origin-Opener-Policy']; + + if ( + process.env.USE_IN_TWILIO_FLEX_IFRAME === 'true' && + process.env.USE_SSO_AZURE_ENTRA === 'true' + ) { + match(openerPolicy, /same-origin-allow-popups/); + } else { + match(openerPolicy, /same-origin/); + } +}); + test('Content-Security-Policy configuration to load PowerBI dashboard(s) in iframe', () => { const frameSrcCondition = /frame-src[^;]* https:\/\/app\.powerbi\.com/; diff --git a/interfaces/Portalicious/_verify-deployment-configuration.mjs b/interfaces/Portalicious/_verify-deployment-configuration.mjs index c200b1b1e0..e872225028 100644 --- a/interfaces/Portalicious/_verify-deployment-configuration.mjs +++ b/interfaces/Portalicious/_verify-deployment-configuration.mjs @@ -63,6 +63,19 @@ test('Content-Security-Policy set for loading as iframe in Twilio Flex', () => { } }); +test('Configuration set to control pop-ups for SSO when the Portal is in an iframe on Twilio Flex', () => { + const openerPolicy = response.headers.get('Cross-Origin-Opener-Policy'); + + if ( + process.env.USE_IN_TWILIO_FLEX_IFRAME === 'true' && + process.env.USE_SSO_AZURE_ENTRA === 'true' + ) { + match(openerPolicy, /same-origin-allow-popups/); + } else { + match(openerPolicy, /same-origin/); + } +}); + test('Content-Security-Policy set to load PowerBI dashboard(s) in iframe', () => { const frameSrcCondition = /frame-src[^;]* https:\/\/app\.powerbi\.com/;