Bug #17202
[keep-web] Don't use 303-with-cookie when serving inline preview content as a third-party site
Status:
New
Priority:
Normal
Assigned To:
-
Category:
Keep
Target version:
-
Start date:
12/09/2020
Due date:
% Done:
100%
Estimated time:
(Total: 0.00 h)
Story points:
-
Release:
Release relationship:
Auto
Description
When using keep-web to serve inline image content, Workbench2 uses URLs like these:
https://ce8i5-4zz18-ykh8x2x89lq6iet.collections.zzzzz.example.com/IMG_20140713_123631.jpg?api_token=v2/example/secretsecrettoken https://collections.zzzzz.example.com/c=ce8i5-4zz18-ykh8x2x89lq6iet/t=secretsecrettoken/IMG_20140713_123631.jpgThere are two problems, which together make it impossible for Workbench2 to serve previews:
- keep-web responds to the first form with HTTP 303, an equivalent URL with the token part removed, and a cookie containing the token. This is a third-party cookie, which modern browsers reject to avoid XSS attacks, so the 2nd request fails 401.
- keep-web has no way of accepting a v2 token in the 2nd form, because a v2 token contains "/" character.
- Keep-web should skip the 303-with-cookie behavior when serving inline content as a third party, i.e., when the request Origin header value is non-empty. This way Workbench2 can show inline images with
<img crossorigin="anonymous" src="...">
. (this part is done & merged, see notes 4-6) - Keep-web should accept an URL-encoded token in the path, like
/t=v2%2Fexample%2Fsecretsecrettoken/...
(note this will be confusing because the % escape character will need to be escaped in order to appear in a URL:/t=v2%252Fexample%252Fsecretsecrettoken/...
)
Subtasks
Related issues
Associated revisions
History
#2
Updated by Tom Clegg 4 months ago
- Related to Bug #16812: Token appears in the download URL, being shared by accident added
#4
Updated by Tom Clegg 4 months ago
17202-no-redir-crossorigin @ 2c8b44cdaefa4434eadbbe2cb24dabac8cc3bfa9 -- https://ci.arvados.org/view/Developer/job/developer-run-tests/2212/
This should work with image tags like <img crossorigin="anonymous" src="https://download.ce8i5.arvadosapi.com/c=ce8i5-4zz18-ykh8x2x89lq6iet/IMG_20140713_123631.jpg?api_token=v2/foo/bar">
(this is running on ce8i5 now, until we [auto]deploy over it)
#5
Updated by Lucas Di Pentima 4 months ago
This LGTM. Tested manually on wb2 against ce8i5.
#6
Updated by Tom Clegg 4 months ago
17202-no-redir-crossorigin @ b2c1a6e50a3bfc8890c7c9197e49077b6032a087 -- https://ci.arvados.org/view/Developer/job/developer-run-tests/2213/
#8
Updated by Peter Amstutz about 2 months ago
- Release set to 37
Merge branch '17202-no-redir-crossorigin'
refs #17202
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>