[5.x] Set the proper CSP headers for multi-domain iframe (#11447)

Author: edalzell

src/Tokens/Handlers/LivePreview.php

@@ -4,7 +4,10 @@
 
 use Closure;
 use Facades\Statamic\CP\LivePreview as Facade;
+use Illuminate\Support\Collection;
 use Statamic\Contracts\Tokens\Token;
+use Statamic\Facades\Site as Sites;
+use Statamic\Sites\Site;
 
 class LivePreview
 {
@@ -16,8 +19,26 @@ public function handle(Token $token, $request, Closure $next)
 
         $response = $next($request);
 
+        if (Sites::multiEnabled()) {
+            /** @var Collection */
+            $siteURLs = Sites::all()
+                ->map(fn (Site $site) => $this->getSchemeAndHost($site))
+                ->values()
+                ->unique()
+                ->join(' ');
+
+            $response->headers->set('Content-Security-Policy', "frame-ancestors $siteURLs");
+        }
+
         $response->headers->set('X-Statamic-Live-Preview', true);
 
         return $response;
     }
+
+    private function getSchemeAndHost(Site $site): string
+    {
+        $parts = parse_url($site->absoluteUrl());
+
+        return $parts['scheme'].'://'.$parts['host'];
+    }
 }

tests/Feature/Entries/AddsHeadersToLivePreviewTest.php

@@ -0,0 +1,74 @@
+<?php
+
+namespace Tests\Feature\Entries;
+
+use Facades\Statamic\CP\LivePreview;
+use Facades\Tests\Factories\EntryFactory;
+use Illuminate\Support\Facades\Route;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\Entry;
+use Statamic\View\View;
+use Tests\FakesViews;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+class AddsHeadersToLivePreviewTest extends TestCase
+{
+    use FakesViews;
+    use PreventSavingStacheItemsToDisk;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        // The array driver would store entry instances in memory, and we could get false-positive
+        // tests by just modifying the entry without actually performing the substitution.
+        config(['cache.default' => 'file']);
+
+        EntryFactory::collection('test')->id('1')->slug('alfa')->data(['title' => 'Alfa', 'foo' => 'Alfa foo'])->create();
+
+        $this->withFakeViews();
+
+        $this->viewShouldReturnRaw('test', '');
+    }
+
+    protected function resolveApplicationConfiguration($app)
+    {
+        parent::resolveApplicationConfiguration($app);
+
+        // Use our View::make() to make sure the Cascade is used.
+        // We'd use Route::statamic() but it isn't available at this point.
+        Route::get('/test', fn () => View::make('test'))->middleware('statamic.web');
+    }
+
+    #[Test]
+    public function it_doesnt_set_header_when_single_site()
+    {
+        $this->setSites(['en' => ['url' => 'http://localhost/', 'locale' => 'en']]);
+        $substitute = EntryFactory::collection('test')->id('2')->slug('charlie')->data(['title' => 'Substituted title', 'foo' => 'Substituted foo'])->make();
+
+        LivePreview::tokenize('test-token', $substitute);
+
+        $this->get('/test?token=test-token')
+            ->assertHeader('X-Statamic-Live-Preview', true)
+            ->assertHeaderMissing('Content-Security-Policy', true);
+    }
+
+    #[Test]
+    public function it_sets_header_when_multisite()
+    {
+        config()->set('statamic.system.multisite', true);
+        $this->setSites([
+            'en' => ['url' => 'http://localhost/', 'locale' => 'en'],
+            'fr' => ['url' => 'http://localhost/fr/', 'locale' => 'fr'],
+            'third' => ['url' => 'http://third/', 'locale' => 'en'],
+        ]);
+        $substitute = EntryFactory::collection('test')->id('2')->slug('charlie')->data(['title' => 'Substituted title', 'foo' => 'Substituted foo'])->make();
+
+        LivePreview::tokenize('test-token', $substitute);
+
+        $this->get('/test?token=test-token')
+            ->assertHeader('X-Statamic-Live-Preview', true)
+            ->assertHeader('Content-Security-Policy', 'frame-ancestors http://localhost http://third');
+    }
+}