Project

General

Profile

Actions

Bug #17202

closed

[keep-web] Don't use 303-with-cookie when serving inline preview content as a third-party site

Added by Tom Clegg about 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Keep
Target version:
-
Story points:
-
Release relationship:
Auto

Description

When using keep-web to serve inline image content, Workbench2 uses URLs like these:

https://ce8i5-4zz18-ykh8x2x89lq6iet.collections.zzzzz.example.com/IMG_20140713_123631.jpg?api_token=v2/example/secretsecrettoken

https://collections.zzzzz.example.com/c=ce8i5-4zz18-ykh8x2x89lq6iet/t=secretsecrettoken/IMG_20140713_123631.jpg
There are two problems, which together make it impossible for Workbench2 to serve previews:
  1. keep-web responds to the first form with HTTP 303, an equivalent URL with the token part removed, and a cookie containing the token. This is a third-party cookie, which modern browsers reject to avoid XSS attacks, so the 2nd request fails 401.
  2. keep-web has no way of accepting a v2 token in the 2nd form, because a v2 token contains "/" character.
Proposed solutions:
  1. Keep-web should skip the 303-with-cookie behavior when serving inline content as a third party, i.e., when the request Origin header value is non-empty. This way Workbench2 can show inline images with <img crossorigin="anonymous" src="...">. (this part is done & merged, see notes 4-6)
  2. Keep-web should accept an URL-encoded token in the path, like /t=v2%2Fexample%2Fsecretsecrettoken/... (note this will be confusing because the % escape character will need to be escaped in order to appear in a URL: /t=v2%252Fexample%252Fsecretsecrettoken/...)

Subtasks 1 (0 open1 closed)

Task #17203: Review 17202-no-redir-crossoriginResolvedTom Clegg12/09/2020Actions

Related issues 1 (0 open1 closed)

Related to Arvados - Bug #16812: Token appears in the download URL, being shared by accidentResolvedDaniel KutyƂa10/07/2020Actions
Actions

Also available in: Atom PDF