From 23f86b5d87510f27489e27ee3f9ad80f32950c2c Mon Sep 17 00:00:00 2001
From: Nar Cuenca <narc.ph@gmail.com>
Date: Fri, 6 Sep 2024 14:18:06 +0800
Subject: [PATCH 1/2] task: add CSP settings check for duo mode toggle

---
 .../src/app/views/ItemEdit/ItemEdit.js            | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js b/src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js
index 6553fba849..f8e72c719e 100644
--- a/src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js
+++ b/src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js
@@ -100,6 +100,18 @@ export default function ItemEdit() {
   const duoModeDisabled =
     isFetching ||
     instanceSettings?.find((setting) => {
+      // Makes sure that the CSP value is either empty or contains
+      // frame-ancestors 'self' zesty.io *.zesty.io anywhere in the value
+      const invalidCSPSettings =
+        setting.key === "content_security_policy" && !!setting.value
+          ? !setting.value.includes("frame-ancestors") ||
+            !setting.value.includes("'self'") ||
+            !(
+              setting.value.includes("zesty.io") ||
+              setting.value.includes("*.zesty.io")
+            )
+          : false;
+
       // if any of these settings are present then DuoMode is unavailable
       return (
         (setting.key === "basic_content_api_key" && setting.value) ||
@@ -107,7 +119,8 @@ export default function ItemEdit() {
         (setting.key === "authorization_key" && setting.value) ||
         (setting.key === "x_frame_options" &&
           !!setting.value &&
-          setting.value !== "sameorigin")
+          setting.value !== "sameorigin") ||
+        invalidCSPSettings
       );
     }) ||
     model?.type === "dataset";

From 363e934bbbff5cfd143692a7e6c8078754e46b56 Mon Sep 17 00:00:00 2001
From: Nar Cuenca <narc.ph@gmail.com>
Date: Tue, 17 Sep 2024 12:13:43 +0800
Subject: [PATCH 2/2] task: check referrer policy setting for duo mode toggle

---
 src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js b/src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js
index 36568b7389..db0c316f1a 100644
--- a/src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js
+++ b/src/apps/content-editor/src/app/views/ItemEdit/ItemEdit.js
@@ -128,6 +128,9 @@ export default function ItemEdit() {
         (setting.key === "x_frame_options" &&
           !!setting.value &&
           setting.value !== "sameorigin") ||
+        (setting.key === "referrer_policy" &&
+          !!setting.value &&
+          setting.value !== "strict-origin-when-cross-origin") ||
         invalidCSPSettings
       );
     }) ||