4 changed files with 4 additions and 2 deletions
--- a/passerelle/apps/phonecalls/models.py
+++ b/passerelle/apps/phonecalls/models.py
@ -72,7 +72,8 @@ class PhoneCalls(BaseResource):

        # open agent's portal in a new tab
        if newtab and redirect_url:
-            return render(request, 'phonecalls/start_call_newtab.html', {'redirect_url': redirect_url})
+            response = render(request, 'phonecalls/start_call_newtab.html', {'redirect_url': redirect_url})
+            response.xframe_options_exempt = True
        return response

    @endpoint(
--- a/tests/test_manager.py
+++ b/tests/test_manager.py
@ -477,7 +477,6 @@ def test_availability_parameters(app, admin_user, monkeypatch):
    assert 'Availability check' in resp.text

    resp = resp.click('Availability check')
-    assert 'up' in resp.text
    resp.form['run_check'] = False
    resp = resp.form.submit()
    # Connector status not changed, availability parameters changed
--- a/tests/test_phonecalls.py
+++ b/tests/test_phonecalls.py
@ -193,6 +193,7 @@ def test_phonecalls_start_newtab(app, phonecalls):
        params={'apikey': '123', 'callee': '42', 'caller': '0612345678', 'newtab': '1'},
    )
    assert resp.content_type == 'text/html'
+    assert 'X-Frame-Options' not in resp.headers
    assert 'window.open("https://portail\\u002Dagent.publik/?callee\\u003D42")' in resp.text
    assert Call.objects.filter(callee='42', caller='0612345678').count() == 1

--- a/tox.ini
+++ b/tox.ini
@ -49,6 +49,7 @@ deps =
  zeep<3.3
  codestyle: pre-commit
  ldaptools
+  Pillow<9.5.0
  python-ldap<=3.2  # align with Debian <= 11 (buster, bullseye)
  git+https://git.entrouvert.org/publik-django-templatetags.git
 commands =