[ADD] web_clickjack_protection

2021-07-02 23:11:11 +03:00 · 2021-07-02 23:11:11 +03:00 · 570d3077c9
parent f7ab6aabab
commit 570d3077c9
11 changed files with 552 additions and 0 deletions
--- a/setup/web_clickjack_protection/odoo/addons/web_clickjack_protection
+++ b/setup/web_clickjack_protection/odoo/addons/web_clickjack_protection
@ -0,0 +1 @@
 ../../../../web_clickjack_protection
--- a/setup/web_clickjack_protection/setup.cfg
+++ b/setup/web_clickjack_protection/setup.cfg
@ -0,0 +1,2 @@
 [bdist_wheel]
 universal=1
--- a/setup/web_clickjack_protection/setup.py
+++ b/setup/web_clickjack_protection/setup.py
@ -0,0 +1,6 @@
 import setuptools
 setuptools.setup(
    setup_requires=['setuptools-odoo'],
    odoo_addon=True,
 )
--- a/web_clickjack_protection/README.rst
+++ b/web_clickjack_protection/README.rst
@ -0,0 +1,76 @@
 ========================
 Web Clickjack Protection
 ========================
 .. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   !! This file is generated by oca-gen-addon-readme !!
   !! changes will be overwritten.                   !!
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
    :target: https://odoo-community.org/page/development-status
    :alt: Beta
 .. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
    :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fweb-lightgray.png?logo=github
    :target: https://github.com/OCA/web/tree/11.0/web_clickjack_protection
    :alt: OCA/web
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
    :target: https://translation.odoo-community.org/projects/web-11-0/web-11-0-web_clickjack_protection
    :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
    :target: https://runbot.odoo-community.org/runbot/162/11.0
    :alt: Try me on Runbot
 |badge1| |badge2| |badge3| |badge4| |badge5| 
 Clickjacking is a technique by which a malicious party embeds your website in an <iframe>, then hovers buttons over it to make the user think he is clicking on your site when in fact he is communicating with the parent frame.
 Clickjacking can be prevented on the webserver side by adding headers, but there are `ways around this <https://github.com/niutech/x-frame-bypass>`_. This module prevents clickjacking more thoroughly by making it impossible for your site to be embedded. It does so by adding a small "framebreaker" Javascript which creates a CSS style element on the fly to hide the body of the current page by default. Then, if it doesn't detect a parent frame, it removes it again.
 **Table of contents**
 .. contents::
   :local:
 Bug Tracker
 ===========
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/web/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
 `feedback <https://github.com/OCA/web/issues/new?body=module:%20web_clickjack_protection%0Aversion:%2011.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 Do not contact contributors directly about support or help with technical issues.
 Credits
 =======
 Authors
 ~~~~~~~
 * Sunflower IT
 Contributors
 ~~~~~~~~~~~~
 * Tom Blauwendraat <tom@sunflowerweb.nl>
 * Kevin Kamau <kevin@sunflowerweb.nl>
 Maintainers
 ~~~~~~~~~~~
 This module is maintained by the OCA.
 .. image:: https://odoo-community.org/logo.png
   :alt: Odoo Community Association
   :target: https://odoo-community.org
 OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.
 This module is part of the `OCA/web <https://github.com/OCA/web/tree/11.0/web_clickjack_protection>`_ project on GitHub.
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
--- a/web_clickjack_protection/init.py
+++ b/web_clickjack_protection/init.py
@ -0,0 +1,2 @@
 # Copyright 2021 Sunflower IT <https://www.sunflowerweb.nl>
 # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
--- a/web_clickjack_protection/manifest.py
+++ b/web_clickjack_protection/manifest.py
@ -0,0 +1,15 @@
 # Copyright 2021 Sunflower IT <https://www.sunflowerweb.nl>
 # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
 {
    "name": "Web Clickjack Protection",
    "version": "11.0.1.0.0",
    "author": "Sunflower IT,Odoo Community Association (OCA)",
    "website": "https://github.com/OCA/web",
    "license": "AGPL-3",
    "category": "Usability",
    "summary": "Protects Odoo instancess from possible Clickjacking attacks",
    "depends": ["web"],
    "data": ["views/web_assets.xml"],
    "installable": True,
    "auto_install": False,
 }
--- a/web_clickjack_protection/readme/CONTRIBUTORS.rst
+++ b/web_clickjack_protection/readme/CONTRIBUTORS.rst
@ -0,0 +1,2 @@
 * Tom Blauwendraat <tom@sunflowerweb.nl>
 * Kevin Kamau <kevin@sunflowerweb.nl>
--- a/web_clickjack_protection/readme/DESCRIPTION.rst
+++ b/web_clickjack_protection/readme/DESCRIPTION.rst
@ -0,0 +1,3 @@
 Clickjacking is a technique by which a malicious party embeds your website in an <iframe>, then hovers buttons over it to make the user think he is clicking on your site when in fact he is communicating with the parent frame.
 Clickjacking can be prevented on the webserver side by adding headers, but there are `ways around this <https://github.com/niutech/x-frame-bypass>`_. This module prevents clickjacking more thoroughly by making it impossible for your site to be embedded. It does so by adding a small "framebreaker" Javascript which creates a CSS style element on the fly to hide the body of the current page by default. Then, if it doesn't detect a parent frame, it removes it again.
--- a/web_clickjack_protection/static/description/icon.png
+++ b/web_clickjack_protection/static/description/icon.png
--- a/web_clickjack_protection/static/description/index.html
+++ b/web_clickjack_protection/static/description/index.html
@ -0,0 +1,421 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta name="generator" content="Docutils: http://docutils.sourceforge.net/" />
 <title>Web Clickjack Protection</title>
 <style type="text/css">
 /*
 :Author: David Goodger (goodger@python.org)
 :Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 Default cascading style sheet for the HTML output of Docutils.
 See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
 */
 /* used to remove borders from tables and images */
 .borderless, table.borderless td, table.borderless th {
  border: 0 }
 table.borderless td, table.borderless th {
  /* Override padding for "table.docutils td" with "! important".
     The right padding separates the table cells. */
  padding: 0 0.5em 0 0 ! important }
 .first {
  /* Override more specific margin styles with "! important". */
  margin-top: 0 ! important }
 .last, .with-subtitle {
  margin-bottom: 0 ! important }
 .hidden {
  display: none }
 .subscript {
  vertical-align: sub;
  font-size: smaller }
 .superscript {
  vertical-align: super;
  font-size: smaller }
 a.toc-backref {
  text-decoration: none ;
  color: black }
 blockquote.epigraph {
  margin: 2em 5em ; }
 dl.docutils dd {
  margin-bottom: 0.5em }
 object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
  overflow: hidden;
 }
 /* Uncomment (and remove this text!) to get bold-faced definition list terms
 dl.docutils dt {
  font-weight: bold }
 */
 div.abstract {
  margin: 2em 5em }
 div.abstract p.topic-title {
  font-weight: bold ;
  text-align: center }
 div.admonition, div.attention, div.caution, div.danger, div.error,
 div.hint, div.important, div.note, div.tip, div.warning {
  margin: 2em ;
  border: medium outset ;
  padding: 1em }
 div.admonition p.admonition-title, div.hint p.admonition-title,
 div.important p.admonition-title, div.note p.admonition-title,
 div.tip p.admonition-title {
  font-weight: bold ;
  font-family: sans-serif }
 div.attention p.admonition-title, div.caution p.admonition-title,
 div.danger p.admonition-title, div.error p.admonition-title,
 div.warning p.admonition-title, .code .error {
  color: red ;
  font-weight: bold ;
  font-family: sans-serif }
 /* Uncomment (and remove this text!) to get reduced vertical space in
   compound paragraphs.
 div.compound .compound-first, div.compound .compound-middle {
  margin-bottom: 0.5em }
 div.compound .compound-last, div.compound .compound-middle {
  margin-top: 0.5em }
 */
 div.dedication {
  margin: 2em 5em ;
  text-align: center ;
  font-style: italic }
 div.dedication p.topic-title {
  font-weight: bold ;
  font-style: normal }
 div.figure {
  margin-left: 2em ;
  margin-right: 2em }
 div.footer, div.header {
  clear: both;
  font-size: smaller }
 div.line-block {
  display: block ;
  margin-top: 1em ;
  margin-bottom: 1em }
 div.line-block div.line-block {
  margin-top: 0 ;
  margin-bottom: 0 ;
  margin-left: 1.5em }
 div.sidebar {
  margin: 0 0 0.5em 1em ;
  border: medium outset ;
  padding: 1em ;
  background-color: #ffffee ;
  width: 40% ;
  float: right ;
  clear: right }
 div.sidebar p.rubric {
  font-family: sans-serif ;
  font-size: medium }
 div.system-messages {
  margin: 5em }
 div.system-messages h1 {
  color: red }
 div.system-message {
  border: medium outset ;
  padding: 1em }
 div.system-message p.system-message-title {
  color: red ;
  font-weight: bold }
 div.topic {
  margin: 2em }
 h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
 h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
  margin-top: 0.4em }
 h1.title {
  text-align: center }
 h2.subtitle {
  text-align: center }
 hr.docutils {
  width: 75% }
 img.align-left, .figure.align-left, object.align-left, table.align-left {
  clear: left ;
  float: left ;
  margin-right: 1em }
 img.align-right, .figure.align-right, object.align-right, table.align-right {
  clear: right ;
  float: right ;
  margin-left: 1em }
 img.align-center, .figure.align-center, object.align-center {
  display: block;
  margin-left: auto;
  margin-right: auto;
 }
 table.align-center {
  margin-left: auto;
  margin-right: auto;
 }
 .align-left {
  text-align: left }
 .align-center {
  clear: both ;
  text-align: center }
 .align-right {
  text-align: right }
 /* reset inner alignment in figures */
 div.align-right {
  text-align: inherit }
 /* div.align-center * { */
 /*   text-align: left } */
 .align-top    {
  vertical-align: top }
 .align-middle {
  vertical-align: middle }
 .align-bottom {
  vertical-align: bottom }
 ol.simple, ul.simple {
  margin-bottom: 1em }
 ol.arabic {
  list-style: decimal }
 ol.loweralpha {
  list-style: lower-alpha }
 ol.upperalpha {
  list-style: upper-alpha }
 ol.lowerroman {
  list-style: lower-roman }
 ol.upperroman {
  list-style: upper-roman }
 p.attribution {
  text-align: right ;
  margin-left: 50% }
 p.caption {
  font-style: italic }
 p.credits {
  font-style: italic ;
  font-size: smaller }
 p.label {
  white-space: nowrap }
 p.rubric {
  font-weight: bold ;
  font-size: larger ;
  color: maroon ;
  text-align: center }
 p.sidebar-title {
  font-family: sans-serif ;
  font-weight: bold ;
  font-size: larger }
 p.sidebar-subtitle {
  font-family: sans-serif ;
  font-weight: bold }
 p.topic-title {
  font-weight: bold }
 pre.address {
  margin-bottom: 0 ;
  margin-top: 0 ;
  font: inherit }
 pre.literal-block, pre.doctest-block, pre.math, pre.code {
  margin-left: 2em ;
  margin-right: 2em }
 pre.code .ln { color: grey; } /* line numbers */
 pre.code, code { background-color: #eeeeee }
 pre.code .comment, code .comment { color: #5C6576 }
 pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
 pre.code .literal.string, code .literal.string { color: #0C5404 }
 pre.code .name.builtin, code .name.builtin { color: #352B84 }
 pre.code .deleted, code .deleted { background-color: #DEB0A1}
 pre.code .inserted, code .inserted { background-color: #A3D289}
 span.classifier {
  font-family: sans-serif ;
  font-style: oblique }
 span.classifier-delimiter {
  font-family: sans-serif ;
  font-weight: bold }
 span.interpreted {
  font-family: sans-serif }
 span.option {
  white-space: nowrap }
 span.pre {
  white-space: pre }
 span.problematic {
  color: red }
 span.section-subtitle {
  /* font-size relative to parent (h1..h6 element) */
  font-size: 80% }
 table.citation {
  border-left: solid 1px gray;
  margin-left: 1px }
 table.docinfo {
  margin: 2em 4em }
 table.docutils {
  margin-top: 0.5em ;
  margin-bottom: 0.5em }
 table.footnote {
  border-left: solid 1px black;
  margin-left: 1px }
 table.docutils td, table.docutils th,
 table.docinfo td, table.docinfo th {
  padding-left: 0.5em ;
  padding-right: 0.5em ;
  vertical-align: top }
 table.docutils th.field-name, table.docinfo th.docinfo-name {
  font-weight: bold ;
  text-align: left ;
  white-space: nowrap ;
  padding-left: 0 }
 /* "booktabs" style (no vertical lines) */
 table.docutils.booktabs {
  border: 0px;
  border-top: 2px solid;
  border-bottom: 2px solid;
  border-collapse: collapse;
 }
 table.docutils.booktabs * {
  border: 0px;
 }
 table.docutils.booktabs th {
  border-bottom: thin solid;
  text-align: left;
 }
 h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
 h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
  font-size: 100% }
 ul.auto-toc {
  list-style-type: none }
 </style>
 </head>
 <body>
 <div class="document" id="web-clickjack-protection">
 <h1 class="title">Web Clickjack Protection</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/web/tree/11.0/web_clickjack_protection"><img alt="OCA/web" src="https://img.shields.io/badge/github-OCA%2Fweb-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/web-11-0/web-11-0-web_clickjack_protection"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/162/11.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
 <p>Clickjacking is a technique by which a malicious party embeds your website in an &lt;iframe&gt;, then hovers buttons over it to make the user think he is clicking on your site when in fact he is communicating with the parent frame.</p>
 <p>Clickjacking can be prevented on the webserver side by adding headers, but there are <a class="reference external" href="https://github.com/niutech/x-frame-bypass">ways around this</a>. This module prevents clickjacking more thoroughly by making it impossible for your site to be embedded. It does so by adding a small “framebreaker” Javascript which creates a CSS style element on the fly to hide the body of the current page by default. Then, if it doesn’t detect a parent frame, it removes it again.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
 <li><a class="reference internal" href="#bug-tracker" id="id1">Bug Tracker</a></li>
 <li><a class="reference internal" href="#credits" id="id2">Credits</a><ul>
 <li><a class="reference internal" href="#authors" id="id3">Authors</a></li>
 <li><a class="reference internal" href="#contributors" id="id4">Contributors</a></li>
 <li><a class="reference internal" href="#maintainers" id="id5">Maintainers</a></li>
 </ul>
 </li>
 </ul>
 </div>
 <div class="section" id="bug-tracker">
 <h1><a class="toc-backref" href="#id1">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/web/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
 <a class="reference external" href="https://github.com/OCA/web/issues/new?body=module:%20web_clickjack_protection%0Aversion:%2011.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
 <h1><a class="toc-backref" href="#id2">Credits</a></h1>
 <div class="section" id="authors">
 <h2><a class="toc-backref" href="#id3">Authors</a></h2>
 <ul class="simple">
 <li>Sunflower IT</li>
 </ul>
 </div>
 <div class="section" id="contributors">
 <h2><a class="toc-backref" href="#id4">Contributors</a></h2>
 <ul class="simple">
 <li>Tom Blauwendraat &lt;<a class="reference external" href="mailto:tom&#64;sunflowerweb.nl">tom&#64;sunflowerweb.nl</a>&gt;</li>
 <li>Kevin Kamau &lt;<a class="reference external" href="mailto:kevin&#64;sunflowerweb.nl">kevin&#64;sunflowerweb.nl</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
 <h2><a class="toc-backref" href="#id5">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>
 <p>This module is part of the <a class="reference external" href="https://github.com/OCA/web/tree/11.0/web_clickjack_protection">OCA/web</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>
 </div>
 </body>
 </html>
--- a/web_clickjack_protection/views/web_assets.xml
+++ b/web_clickjack_protection/views/web_assets.xml
@ -0,0 +1,24 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <odoo>
    <template
        id="assets_common"
        name="Web Anti-Clickjack Assets"
        inherit_id="web.assets_common"
    >
        <xpath expr="." position="inside">
            <script language="javascript" type="text/javascript">
                var style = document.createElement('style');
                style.type = "text/css";
                style.id = "antiClickjack";
                style.innerHTML = "body{display:none !important;}";
                document.getElementsByTagName('head')[0].appendChild(style);
                if (self === top) {
                    var antiClickjack = document.getElementById("antiClickjack");
                    if (antiClickjack)
                        antiClickjack.parentNode.removeChild(antiClickjack);
                } else
                    top.location = self.location;
            </script>
        </xpath>
    </template>
 </odoo>
		`@ -0,0 +1,2 @@`
							`# Copyright 2021 Sunflower IT <https://www.sunflowerweb.nl>`
							`# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).`
		`@ -0,0 +1,2 @@`
							`* Tom Blauwendraat <tom@sunflowerweb.nl>`
							`* Kevin Kamau <kevin@sunflowerweb.nl>`
		`@ -0,0 +1,3 @@`
							`Clickjacking is a technique by which a malicious party embeds your website in an <iframe>, then hovers buttons over it to make the user think he is clicking on your site when in fact he is communicating with the parent frame.`

							Clickjacking can be prevented on the webserver side by adding headers, but there are `ways around this <https://github.com/niutech/x-frame-bypass>`_. This module prevents clickjacking more thoroughly by making it impossible for your site to be embedded. It does so by adding a small "framebreaker" Javascript which creates a CSS style element on the fly to hide the body of the current page by default. Then, if it doesn't detect a parent frame, it removes it again.