From 3795d598740b8def00236f4f44aae2ce93302e3e Mon Sep 17 00:00:00 2001
From: Andrew Aitken-Fincham <andrew@silverstripe.com>
Date: Mon, 18 Dec 2017 09:46:35 +0000
Subject: [PATCH] add switch for commited/remote js and security section to
 readme

---
 README.md                             | 21 ++++++++++++++++++++-
 code/ControllerExtension.php          | 21 ++++++++++++++++++---
 code/SiteConfigExtension.php          | 24 ++++++++++++++----------
 javascript/k33spt.min.js              |  1 +
 templates/WomensRefugeShieldButton.ss |  1 -
 5 files changed, 53 insertions(+), 15 deletions(-)
 create mode 100644 javascript/k33spt.min.js

diff --git a/README.md b/README.md
index a3de170..d84e936 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,25 @@ Alternatively, you can include `$WomensRefugeShieldButton` anywhere in your temp
 
 ![Button in the footer](img/screenshots/button_in_footer.PNG?raw=true)
 
+## Security
+
+This module does allow Javascript from a third-party source, and as such should be treated with a level of caution. Theoretically, this could change at any time. As a result, a copy of the Javascript has been included in the module, which will be periodically updated when the remote script is.
+
+By default, the module will use the committed version of the Javascript. To authorise the use of the remote version, add the following to your site config:
+
+```yaml
+AndrewAndante\WomensRefugeShield\ControllerExtension:
+  use_remote_js: true
+```
+
+We have spoken with the original authors of the script, and it has undergone security testing, in particular with regards to:
+
+- How well the site meets the objectives of being difficult to detect.
+- How secure the Shielded Site is.
+- Whether the inclusion of the Shielded Site introduces significant risk to sites it is hosted on.
+
+We are satisfied with this review, but each site is different and will have different requirements for you to consider.
+
 ## Versioning
 
 - version 1.x is for SilverStripe 3
@@ -42,5 +61,5 @@ You can view all the options on the [Women's Refuge Shielded Site website](https
 # Special Thanks
 
 - Katie Elks for the inspiration!
-- Simon Erkelens for the module Skeleton!
+- Simon Erkelens for the module skeleton!
 - [Women's Refuge New Zealand](https://shielded.co.nz/) for the implementation!
diff --git a/code/ControllerExtension.php b/code/ControllerExtension.php
index 91c44b8..ed777e8 100644
--- a/code/ControllerExtension.php
+++ b/code/ControllerExtension.php
@@ -3,11 +3,11 @@
 namespace AndrewAndante\WomensRefugeShield;
 
 use SilverStripe\CMS\Controllers\ContentController;
+use SilverStripe\Core\Config\Config;
 use SilverStripe\Core\Extension;
 use SilverStripe\SiteConfig\SiteConfig;
 use SilverStripe\View\Requirements;
 
-
 /**
  * Class AndrewAndante\WomensRefugeShield\ControllerExtension
  *
@@ -15,17 +15,22 @@
  */
 class ControllerExtension extends Extension
 {
+    /**
+     * @var bool
+     * @config
+     */
+    private static $use_remote_js = false;
 
     public function onAfterInit()
     {
         $config = SiteConfig::current_site_config();
         switch ($config->ShieldCode) {
             case 1:
-                Requirements::javascript('https://d3f5l8ze0o4j2m.cloudfront.net/m87/k33spt.js');
+                $this->requireCoreJS();
                 Requirements::javascript('andrewandante/womens-refuge-shield: javascript/large_tab.js');
                 break;
             case 2:
-                Requirements::javascript('https://d3f5l8ze0o4j2m.cloudfront.net/m87/k33spt.js');
+                $this->requireCoreJS();
                 Requirements::javascript('andrewandante/womens-refuge-shield: javascript/small_tab.js');
                 break;
         }
@@ -33,6 +38,16 @@ public function onAfterInit()
 
     public function getWomensRefugeShieldButton()
     {
+        $this->requireCoreJS();
         return $this->owner->renderWith('WomensRefugeShieldButton');
     }
+
+    protected function requireCoreJS()
+    {
+        if (Config::inst()->get(self::class, 'use_remote_js')) {
+            Requirements::javascript('https://d3f5l8ze0o4j2m.cloudfront.net/m87/k33spt.js');
+        } else {
+            Requirements::javascript('andrewandante/womens-refuge-shield: javascript/k33spt.min.js');
+        }
+    }
 }
diff --git a/code/SiteConfigExtension.php b/code/SiteConfigExtension.php
index 73e905a..70f1b8e 100644
--- a/code/SiteConfigExtension.php
+++ b/code/SiteConfigExtension.php
@@ -16,18 +16,22 @@
 class SiteConfigExtension extends DataExtension
 {
 
-    private static $db = array(
-        'ShieldCode' => 'Int'
-    );
+    private static $db = [
+        'ShieldCode' => 'Int',
+    ];
+
+    private static $defaults = [
+        'UseShieldModuleJs' => false,
+    ];
 
     public function updateCMSFields(FieldList $fields)
     {
-        $fields->addFieldToTab('Root.Main',
-            $selector = DropdownField::create('ShieldCode', 'Select the type of shield to display', [
-            1 => 'Large Tab',
-            2 => 'Small Tab',
-            3 => 'None',
-        ]));
-        $selector->setEmptyString('-- Choose your shield --');
+        $fields->addFieldsToTab('Root.Main', [
+            DropdownField::create('ShieldCode', 'Select the type of shield to display', [
+                1 => 'Large Tab',
+                2 => 'Small Tab',
+                3 => 'None',
+            ])->setEmptyString('-- Choose your shield --')
+        ]);
     }
 }
diff --git a/javascript/k33spt.min.js b/javascript/k33spt.min.js
new file mode 100644
index 0000000..0d10934
--- /dev/null
+++ b/javascript/k33spt.min.js
@@ -0,0 +1 @@
+var ds07o6pcmkorn=function(e){var t=this;t.left=e.left||0,t.top=e.top||0,t.icon=e.iconSize||"big",t.smallIcon="https://d3f5l8ze0o4j2m.cloudfront.net/m87/sm.png",t.bigIcon="https://d3f5l8ze0o4j2m.cloudfront.net/m87/lg.png",t.elementId=e.openElementId||"",t.btn=function(){return'<img id="frame-opener" style="cursor: pointer; z-index:  99999; -webkit-transition: all .5s;  position: fixed; top:'+t.top+"px; left: "+t.left+'px; max-width: 60px" src="'+t.iconSize(t.icon)+'" alt="Enter the Shielded Site"/>'},t.frame='<div id="modal" style="display:none; overflow: auto;  position: fixed; top: 0; left: 0; right: 0; bottom: 0; z-index: 99999;   -webkit-overflow-scrolling: touch;   background: rgba(0,0,0,0.5); zoom: 1;"><div id="frame-cover" style=" width:310px; height:453px; left:50%; margin-left: -155px; position: fixed;"><iframe sandbox="allow-forms allow-scripts allow-same-origin allow-popups" src="https://d3f5l8ze0o4j2m.cloudfront.net" width="310" height="420" style="opacity: .98; width:310px; height:420px;" frameborder="0"></iframe><a href="#" id="frame-close"><img style=" display: block; margin: -4px auto; width: 50px; height: 35px;  cursor: pointer;" src="https://d3f5l8ze0o4j2m.cloudfront.net/m87/close.png" alt=""/></a></div></div>',t.iconSize=function(e){return"big"===e?t.bigIcon:t.smallIcon},t.addButton=function(){document.body.insertAdjacentHTML("afterbegin",t.btn())},t.openFrame=function(e){e.preventDefault?e.preventDefault():e.returnValue=!1,t.modalEl.style.display="block",document.body.style.overflow="hidden",t.frameOpenerEl.style.opacity=0},t.closeFrame=function(e){e.preventDefault?e.preventDefault():e.returnValue=!1,document.body.removeAttribute("style"),t.modalEl.style.display="none",t.frameOpenerEl.style.opacity=1},t.init=function(){document.body.insertAdjacentHTML("afterbegin",t.frame),t.modalEl=document.getElementById("modal"),document.getElementById("frame-close").addEventListener("click",t.closeFrame),t.elementId?t.frameOpenerEl=document.querySelector(t.elementId):(t.addButton(),t.frameOpenerEl=document.getElementById("frame-opener")),t.frameOpenerEl.addEventListener("click",t.openFrame)}};
diff --git a/templates/WomensRefugeShieldButton.ss b/templates/WomensRefugeShieldButton.ss
index e257a88..11ed545 100644
--- a/templates/WomensRefugeShieldButton.ss
+++ b/templates/WomensRefugeShieldButton.ss
@@ -1,4 +1,3 @@
-<% require javascript("https://d3f5l8ze0o4j2m.cloudfront.net/m87/k33spt.js") %>
 <% require javascript("andrewandante/womens-refuge-shield: javascript/button.js") %>
 <% require css("andrewandante/womens-refuge-shield: css/button.css") %>