Renamed injection services

roles/sys-srv-web-inj-desktop/README.md

@@ -0,0 +1,24 @@
+
+# 🌐 iFrame Notifier for Nginx
+
+This Ansible role injects a small JavaScript snippet into your HTML responses that enables parent pages to get notified whenever the iframe’s location changes and forces external links to open in a new tab.
+
+---
+
+## Features
+
+- **Location Change Notification**  
+  Uses `postMessage` to inform the parent window of any URL changes inside the iframe (including pushState/popState events) for seamless SPA support.
+
+- **External Link Handling**  
+  Automatically sets `target="_blank"` and `rel="noopener"` on links pointing outside your primary domain to improve security and user experience.
+
+- **Easy CSP Integration**  
+  Calculates a CSP hash for the injected script so you can safely allow it via your Content Security Policy.
+
+---
+
+## Author
+
+Developed by **Kevin Veen-Birkenbach**
+[https://www.veen.world](https://www.veen.world) 🎉

roles/sys-srv-web-inj-desktop/meta/main.yml

@@ -0,0 +1,24 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Injects a JS snippet into HTML to notify parent windows of iframe location changes and force external links to new tabs."
+  company: |
+    Kevin Veen-Birkenbach  
+    Consulting & Coaching Solutions  
+    https://www.veen.world
+  license: "Infinito.Nexus NonCommercial License"
+  repository: https://s.infinito.nexus/code
+  issue_tracker_url: https://s.infinito.nexus/issues
+  documentation: "https://docs.infinito.nexus/"
+  license_url: "https://s.infinito.nexus/license"
+  min_ansible_version: "2.9"
+  platforms:
+  - name: Archlinux
+    versions:
+    - rolling
+  galaxy_tags:
+  - nginx
+  - iframe
+  - javascript
+  - csp
+  - security
+  - postMessage

roles/sys-srv-web-inj-desktop/tasks/01_deploy.yml

@@ -0,0 +1,16 @@
+- name: Deploy iframe-handler.js
+  template:
+    src: iframe-handler.js.j2
+    dest: "{{ INJ_DESKTOP_JS_FILE_DESTINATION }}"
+    owner: "{{ NGINX.USER }}"
+    group: "{{ NGINX.USER }}"
+    mode: '0644'
+
+- name: Get stat for iframe-handler.js
+  stat:
+    path: "{{ INJ_DESKTOP_JS_FILE_DESTINATION }}"
+  register: inj_port_ui_js_stat
+
+- name: Set inj_port_ui_js_version
+  set_fact:
+    inj_port_ui_js_version: "{{ inj_port_ui_js_stat.stat.mtime }}"

roles/sys-srv-web-inj-desktop/tasks/main.yml

@@ -0,0 +1,24 @@
+- block:
+  - name: Include dependency 'srv-web-7-4-core'
+    include_role:
+      name: srv-web-7-4-core
+    when: run_once_srv_web_7_4_core is not defined
+  - include_tasks: 01_deploy.yml
+  - include_tasks: utils/run_once.yml
+  when: run_once_sys_srv_web_inj_desktop is not defined
+
+# --- Build tiny inline initializer (CSP-hashed) ---
+- name: "Load iFrame init code for '{{ application_id }}'"
+  set_fact:
+    iframe_init_code: "{{ lookup('template','iframe-init_one_liner.js.j2') }}"
+
+- name: "Collapse iFrame init code into one-liner for '{{ application_id }}'"
+  set_fact:
+    iframe_init_code_one_liner: "{{ iframe_init_code | to_one_liner }}"
+
+- name: "Append iFrame init CSP hash for '{{ application_id }}'"
+  set_fact:
+    applications: "{{ applications | append_csp_hash(application_id, iframe_init_code_one_liner) }}"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  changed_when: false
+

roles/sys-srv-web-inj-desktop/templates/body_sub.j2

@@ -0,0 +1 @@
+<script>{{ iframe_init_code_one_liner }}</script>

roles/sys-srv-web-inj-desktop/templates/head_sub.j2

@@ -0,0 +1 @@
+<script src="{{ domains | get_url('web-svc-cdn', WEB_PROTOCOL) }}/{{ INJ_DESKTOP_JS_FILE_NAME }}?{{ inj_port_ui_js_version }}"></script>

roles/sys-srv-web-inj-desktop/templates/iframe-handler.js.j2

@@ -0,0 +1,57 @@
+(function (global) {
+  /**
+   * Initializes the iframe sync & external link forcing logic.
+   * @param {string} primary_domain
+   * @param {string} current_domain
+   * @param {string} allowedOrigin - Parent origin for postMessage
+   */
+  function initIframeHandler(primary_domain, current_domain, allowedOrigin) {
+    function notifyParent() {
+      if (window.self !== window.top) {
+        try {
+          window.parent.postMessage(
+            { type: "iframeLocationChange", href: window.location.href },
+            allowedOrigin
+          );
+        } catch (e) {}
+      }
+    }
+
+    function forceExternalLinks() {
+      Array.prototype.forEach.call(document.querySelectorAll("a[href]"), function (a) {
+        try {
+          var url = new URL(a.href, location);
+          // open new tab if link goes outside our primary OR current domain
+          if (!(url.hostname.endsWith(primary_domain) || url.hostname.endsWith(current_domain))) {
+            a.target = "_blank";
+            a.rel = "noopener";
+          }
+        } catch (e) {}
+      });
+    }
+
+    window.addEventListener("load", function () {
+      notifyParent();
+      forceExternalLinks();
+    });
+    window.addEventListener("popstate", function () {
+      notifyParent();
+      forceExternalLinks();
+    });
+
+    // SPA support
+    var _pushState = history.pushState;
+    history.pushState = function () {
+      _pushState.apply(history, arguments);
+      notifyParent();
+      forceExternalLinks();
+    };
+
+    {% if MODE_DEBUG | bool %}
+    try { console.log("[iframe-sync] initIframeHandler installed."); } catch (e) {}
+    {% endif %}
+  }
+
+  // expose for inline bootstrap
+  global.initIframeHandler = initIframeHandler;
+})(window);

roles/sys-srv-web-inj-desktop/templates/iframe-init_one_liner.js.j2

@@ -0,0 +1,10 @@
+document.addEventListener('DOMContentLoaded', function () {
+  initIframeHandler(
+    '{{ PRIMARY_DOMAIN }}',
+    '{{ domain }}',
+    '{{ domains | get_url("web-app-port-ui", WEB_PROTOCOL) }}'
+  );
+});
+{% if MODE_DEBUG | bool %}
+try { console.log("[iframe-sync] Sender for iframe messages is active."); } catch(e) {}
+{% endif %}

roles/sys-srv-web-inj-desktop/vars/main.yml

@@ -0,0 +1,2 @@
+INJ_DESKTOP_JS_FILE_NAME:       "iframe-handler.js"
+INJ_DESKTOP_JS_FILE_DESTINATION:  "{{ [ NGINX.DIRECTORIES.DATA.CDN, INJ_DESKTOP_JS_FILE_NAME ] | path_join }}"