Idea #17109
closed
Support keep-web URLs with collection the domain name
Description
WebDAV supports URLs where the collection uuid/PDH is embedded in the DNS name rather than the path, for example:
Services:
WebDAV:
ExternalURL: https://*.collections.ClusterID.example.com/
or
Services:
WebDAV:
ExternalURL: https://*--collections.ClusterID.example.com/
This is documented in https://doc.arvados.org/v2.1/api/keep-web-urls.html
This configuration needs to be supported in Workbench 2 for "inline" browser links like opening a file from Keep in a browser new tab, or displaying an image from Keep inline.
Related issues
Updated by Peter Amstutz over 3 years ago
- Blocked by Feature #17011: Add keep-web wildcard DNS to salt added
Updated by Peter Amstutz over 3 years ago
- Target version set to 2021-01-06 Sprint
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2021-01-06 Sprint to 2021-01-20 Sprint
Updated by Lucas Di Pentima over 3 years ago
- Assigned To set to Lucas Di Pentima
Updated by Lucas Di Pentima over 3 years ago
- Status changed from New to In Progress
Updated by Lucas Di Pentima over 3 years ago
17109-keepweb-webdav-urlsTest runs:
- developer-tests-workbench2: #235
- developer-tests-workbench2: #236
- developer-tests-workbench2: #237
- developer-tests-workbench2: #238
- developer-tests-workbench2: #239
- Fixes inline file url handling/building
- Adds tests
- Bonus: further stabilizes integration tests by adding additional guards. Tested 5 times without issues on Jenkins & many more locally without problems.
Updated by Peter Amstutz over 3 years ago
From chat:
The inline image link behaves in some confusing ways because of "SameSite" cookie policies and the keep-web redirect.
If you link to the image from workbench2 hosted on the same "site", then it is a same-site request and keep-web can set cookies.
If you link to the image from workbench2 hosted on a different "site", then it is a cross-site request and keep-web cannot set cookies.
If you navigate to the image with "open in new tab", the "Lax" policy permits setting cookies because you are navigating to a new page.
When doing development or testing and run workbench2 on your workstation, it will be "localhost" (or whatever) which is not the same site as the zzzzz.arvadosapi.com.
Add some text to https://doc.arvados.org/main/api/keep-web-urls.html explaining that workbench2 and keep-web shouldn't have the same "origin" but they should have the same "site" as explained here:
Documentation of cookie policies:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Updated by Peter Amstutz over 3 years ago
Lucas Di Pentima wrote:
Updates at arvados-workbench2|10dcb972 - branch17109-keepweb-webdav-urls
Test runs:Changes:
- developer-tests-workbench2: #235
- developer-tests-workbench2: #236
- developer-tests-workbench2: #237
- developer-tests-workbench2: #238
- developer-tests-workbench2: #239
- Fixes inline file url handling/building
- Adds tests
- Bonus: further stabilizes integration tests by adding additional guards. Tested 5 times without issues on Jenkins & many more locally without problems.
This LGTM.
Once this deploys let's do some testing to confirm that it does actually work the way we want it to when wb2 is on the "same site" as keep-web.
Also asking for a doc branch that covers information in note-10.
Updated by Lucas Di Pentima over 3 years ago
Documentation updates at f64f557db - branch 17109-keepweb-urls-samesite-doc
- Adds a couple of notes about keep-web preview URLs having to be on the same site as Workbench.
Updated by Lucas Di Pentima over 3 years ago
WB2 updates at arvados-workbench2|5f40f3d3 - branch 17109-keepweb-urls-pdh-support
Test run: developer-tests-workbench2: #245
- Adds support for building keep-web urls with PDHs.
- Adds/updates tests.
Updated by Peter Amstutz over 3 years ago
Lucas Di Pentima wrote:
Documentation updates at f64f557db - branch
17109-keepweb-urls-samesite-doc
- Adds a couple of notes about keep-web preview URLs having to be on the same site as Workbench.
"Site" has a really specific technical meaning for cookies that we need to call out, that's the point of this documentation update. I dug in and this seems to be the relevant RFC:
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2
The explanation should also describe the behavior: if a token is passed to keep-web in the URL, it will return a redirect including a cookie with token (so it is no longer exposed) but if keep-web is not on the "same site" as workbench, the cookie will be ignored and not sent back, resulting in the browser trying to perform unauthenticated access on the collection.
Updated by Lucas Di Pentima over 3 years ago
- Target version changed from 2021-01-20 Sprint to 2021-02-03 Sprint
Updated by Peter Amstutz over 3 years ago
Lucas Di Pentima wrote:
WB2 updates at arvados-workbench2|5f40f3d3 - branch
17109-keepweb-urls-pdh-support
Test run: developer-tests-workbench2: #245
- Adds support for building keep-web urls with PDHs.
- Adds/updates tests.
This LGTM.
Updated by Lucas Di Pentima over 3 years ago
Peter Amstutz wrote:
"Site" has a really specific technical meaning for cookies that we need to call out, that's the point of this documentation update. I dug in and this seems to be the relevant RFC:
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2
The explanation should also describe the behavior: if a token is passed to keep-web in the URL, it will return a redirect including a cookie with token (so it is no longer exposed) but if keep-web is not on the "same site" as workbench, the cookie will be ignored and not sent back, resulting in the browser trying to perform unauthenticated access on the collection.
Updated the documentation at 5727f6452
Updated by Peter Amstutz over 3 years ago
Just one comment:
"specially" in "specially when rendering inline content" is a typo, the word you want is "especially"
Rest LGTM.
Updated by Anonymous over 3 years ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|3576206ef265d0040bcc93899b9885f16b5919e6.