def sidebar_app(request, extra=None):
"""
Return the HTML for the Hypothesis client's sidebar application.
:param extra: A dict of optional properties specifying link tags and meta
attributes to be included on the page.
"""
settings = request.registry.settings
sentry_public_dsn = settings.get("h.sentry_dsn_client")
app_config = {
"apiUrl": request.route_url("api.index"),
"authDomain": request.default_authority,
"oauthClientId": settings.get("h.client_oauth_id"),
# The list of origins that the client will respond to cross-origin RPC
# requests from.
"rpcAllowedOrigins": settings.get("h.client_rpc_allowed_origins"),
}
if sentry_public_dsn:
# `h.sentry_environment` primarily refers to h's Sentry environment,
# but it also matches the client environment for the embed (dev, qa, prod).
sentry_environment = settings.get("h.sentry_environment")
app_config.update(
{"sentry": {"dsn": sentry_public_dsn, "environment": sentry_environment}}
)
ctx = {
"app_config": json.dumps(app_config),
"client_url": _client_url(request),
}
if extra is not None:
ctx.update(extra)
# Add CSP headers to prevent scripts or styles from unexpected locations
# being loaded in the page. Note that the client sidebar app uses a different
# CSP than pages that are part of the 'h' website.
#
# As well as offering an extra layer of protection against various security
# risks, this also helps to reduce noise in Sentry reports due to script
# tags added by e.g. browser extensions.
client_origin = origin(_client_url(request))
# nb. Inline styles are currently allowed for the client because LaTeX
# math rendering using KaTeX relies on them.
style_src = f"{client_origin} 'unsafe-inline'"
request.response.headers[
"Content-Security-Policy"
] = f"script-src {client_origin}; style-src {style_src}"
return ctx
def test_origin(url_in, url_out):
assert uri.origin(url_in) == url_out
def sidebar_app(request, extra=None):
"""
Return the HTML for the Hypothesis client's sidebar application.
:param extra: A dict of optional properties specifying link tags and meta
attributes to be included on the page.
"""
settings = request.registry.settings
ga_client_tracking_id = settings.get("ga_client_tracking_id")
sentry_public_dsn = settings.get("h.sentry_dsn_client")
websocket_url = settings.get("h.websocket_url")
app_config = {
"apiUrl": request.route_url("api.index"),
"authDomain": request.default_authority,
"oauthClientId": settings.get("h.client_oauth_id"),
"release": __version__,
# The list of origins that the client will respond to cross-origin RPC
# requests from.
"rpcAllowedOrigins": settings.get("h.client_rpc_allowed_origins"),
}
if websocket_url:
app_config.update({"websocketUrl": websocket_url})
if sentry_public_dsn:
# `h.sentry_environment` primarily refers to h's Sentry environment,
# but it also matches the client environment for the embed (dev, qa, prod).
sentry_environment = settings.get("h.sentry_environment")
app_config.update({
"sentry": {
"dsn": sentry_public_dsn,
"environment": sentry_environment
}
})
if ga_client_tracking_id:
app_config.update({"googleAnalytics": ga_client_tracking_id})
ctx = {
"app_config": json.dumps(app_config),
"embed_url": request.route_path("embed"),
}
if extra is not None:
ctx.update(extra)
# Add CSP headers to prevent scripts or styles from unexpected locations
# being loaded in the page. Note that the client sidebar app uses a different
# CSP than pages that are part of the 'h' website.
#
# As well as offering an extra layer of protection against various security
# risks, this also helps to reduce noise in Sentry reports due to script
# tags added by e.g. browser extensions.
#
# The `'self'` script-src is needed because app.html references the `/embed.js`
# route from h.
client_origin = origin(_client_url(request))
ga_origin = "https://www.google-analytics.com"
request.response.headers[
"Content-Security-Policy"] = f"script-src 'self' {client_origin} {ga_origin}; style-src {client_origin}"
return ctx
def test_it(self, url_in, url_out):
assert uri.origin(url_in) == url_out