Project

General

Profile

Actions

Idea #17109

closed

Support keep-web URLs with collection the domain name

Added by Peter Amstutz about 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Workbench2
Target version:
Start date:
01/13/2021
Due date:
Story points:
-
Release relationship:
Auto

Description

WebDAV supports URLs where the collection uuid/PDH is embedded in the DNS name rather than the path, for example:

    Services:
      WebDAV:
        ExternalURL: https://*.collections.ClusterID.example.com/

or
    Services:
      WebDAV:
        ExternalURL: https://*--collections.ClusterID.example.com/

This is documented in https://doc.arvados.org/v2.1/api/keep-web-urls.html

This configuration needs to be supported in Workbench 2 for "inline" browser links like opening a file from Keep in a browser new tab, or displaying an image from Keep inline.


Subtasks 2 (0 open2 closed)

Task #17237: Review 17109-keepweb-webdav-urlsResolvedPeter Amstutz01/13/2021Actions
Task #17263: Review 17109-keepweb-urls-samesite-docResolvedPeter Amstutz01/15/2021Actions

Related issues 1 (0 open1 closed)

Blocked by Arvados - Feature #17011: Add keep-web wildcard DNS to saltResolvedWard Vandewege11/25/2020Actions
Actions #1

Updated by Peter Amstutz about 4 years ago

Actions #2

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
Actions #3

Updated by Peter Amstutz about 4 years ago

  • Target version set to 2021-01-06 Sprint
Actions #4

Updated by Peter Amstutz about 4 years ago

  • Target version changed from 2021-01-06 Sprint to 2021-01-20 Sprint
Actions #5

Updated by Peter Amstutz almost 4 years ago

  • Category set to Workbench2
Actions #6

Updated by Lucas Di Pentima almost 4 years ago

  • Assigned To set to Lucas Di Pentima
Actions #7

Updated by Peter Amstutz almost 4 years ago

  • Description updated (diff)
Actions #8

Updated by Lucas Di Pentima almost 4 years ago

  • Status changed from New to In Progress
Actions #9

Updated by Lucas Di Pentima almost 4 years ago

Updates at arvados-workbench2|10dcb972 - branch 17109-keepweb-webdav-urls
Test runs: Changes:
  • Fixes inline file url handling/building
  • Adds tests
  • Bonus: further stabilizes integration tests by adding additional guards. Tested 5 times without issues on Jenkins & many more locally without problems.
Actions #10

Updated by Peter Amstutz almost 4 years ago

From chat:

The inline image link behaves in some confusing ways because of "SameSite" cookie policies and the keep-web redirect.

If you link to the image from workbench2 hosted on the same "site", then it is a same-site request and keep-web can set cookies.

If you link to the image from workbench2 hosted on a different "site", then it is a cross-site request and keep-web cannot set cookies.

If you navigate to the image with "open in new tab", the "Lax" policy permits setting cookies because you are navigating to a new page.

When doing development or testing and run workbench2 on your workstation, it will be "localhost" (or whatever) which is not the same site as the zzzzz.arvadosapi.com.

Add some text to https://doc.arvados.org/main/api/keep-web-urls.html explaining that workbench2 and keep-web shouldn't have the same "origin" but they should have the same "site" as explained here:

https://web.dev/samesite-cookies-explained/#explicitly-state-cookie-usage-with-the-samesite-attribute

Documentation of cookie policies:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Actions #11

Updated by Peter Amstutz almost 4 years ago

Lucas Di Pentima wrote:

Updates at arvados-workbench2|10dcb972 - branch 17109-keepweb-webdav-urls
Test runs: Changes:
  • Fixes inline file url handling/building
  • Adds tests
  • Bonus: further stabilizes integration tests by adding additional guards. Tested 5 times without issues on Jenkins & many more locally without problems.

This LGTM.

Once this deploys let's do some testing to confirm that it does actually work the way we want it to when wb2 is on the "same site" as keep-web.

Also asking for a doc branch that covers information in note-10.

Actions #12

Updated by Lucas Di Pentima almost 4 years ago

Documentation updates at f64f557db - branch 17109-keepweb-urls-samesite-doc

  • Adds a couple of notes about keep-web preview URLs having to be on the same site as Workbench.
Actions #13

Updated by Lucas Di Pentima almost 4 years ago

WB2 updates at arvados-workbench2|5f40f3d3 - branch 17109-keepweb-urls-pdh-support
Test run: developer-tests-workbench2: #245

  • Adds support for building keep-web urls with PDHs.
  • Adds/updates tests.
Actions #14

Updated by Peter Amstutz almost 4 years ago

Lucas Di Pentima wrote:

Documentation updates at f64f557db - branch 17109-keepweb-urls-samesite-doc

  • Adds a couple of notes about keep-web preview URLs having to be on the same site as Workbench.

"Site" has a really specific technical meaning for cookies that we need to call out, that's the point of this documentation update. I dug in and this seems to be the relevant RFC:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2

The explanation should also describe the behavior: if a token is passed to keep-web in the URL, it will return a redirect including a cookie with token (so it is no longer exposed) but if keep-web is not on the "same site" as workbench, the cookie will be ignored and not sent back, resulting in the browser trying to perform unauthenticated access on the collection.

Actions #15

Updated by Lucas Di Pentima almost 4 years ago

  • Target version changed from 2021-01-20 Sprint to 2021-02-03 Sprint
Actions #16

Updated by Peter Amstutz almost 4 years ago

Lucas Di Pentima wrote:

WB2 updates at arvados-workbench2|5f40f3d3 - branch 17109-keepweb-urls-pdh-support
Test run: developer-tests-workbench2: #245

  • Adds support for building keep-web urls with PDHs.
  • Adds/updates tests.

This LGTM.

Actions #17

Updated by Lucas Di Pentima almost 4 years ago

Peter Amstutz wrote:

"Site" has a really specific technical meaning for cookies that we need to call out, that's the point of this documentation update. I dug in and this seems to be the relevant RFC:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2

The explanation should also describe the behavior: if a token is passed to keep-web in the URL, it will return a redirect including a cookie with token (so it is no longer exposed) but if keep-web is not on the "same site" as workbench, the cookie will be ignored and not sent back, resulting in the browser trying to perform unauthenticated access on the collection.

Updated the documentation at 5727f6452

Actions #18

Updated by Peter Amstutz almost 4 years ago

Just one comment:

"specially" in "specially when rendering inline content" is a typo, the word you want is "especially"

Rest LGTM.

Actions #19

Updated by Anonymous almost 4 years ago

  • Status changed from In Progress to Resolved
Actions

Also available in: Atom PDF