Idea #8177
closed
[Workbench] Add trust_all_content configuration to mirror keep-web's
Description
This should be false by default, because it means you're vulnerable to XSS. But setting it to true and using keep-web would be better than falling back to the arv-get code, so it's worthwhile.
- The configuration setting is trust_all_content. It's default false. When true, Workbench will redirect users to keep-web even when that exposes XSS vulnerabilities.
- There should be a comment in application.default.yml explaining the security risks of the feature to administrators. It should also note that the corresponding setting must also be enabled on keep-web.
- Add a section to the Workbench install guide that explains this configuration, with basically the same wording.
- There's already a test that the XSS protection kicks in. That should continue passing when trust_all_content is false. Add a test alongside it that the redirect happens normally when trust_all_content is true.
Updated by Brett Smith over 8 years ago
- Target version set to Arvados Future Sprints
Updated by Brett Smith over 8 years ago
- Description updated (diff)
- Category set to Workbench
- Story points set to 0.5
Updated by Radhika Chippada over 8 years ago
- Status changed from New to In Progress
- Assigned To set to Radhika Chippada
- Target version changed from Arvados Future Sprints to 2016-01-20 Sprint
Updated by Radhika Chippada over 8 years ago
Added the Workbench config param and the corresponding support.
Regarding updating the Workbench install guide: Since we had been working very hard to keep the order of steps in documentation clear without jumping from one page to the other, it didn't seem adding this config parameter to Workbench install guide would be desirable. We do not have any other mentions of keep-web install and configuration in workbench install guide. Hence, I added this to the "services/keep-web/doc.go" which seemed like the best place given that it is already addressing other workbench config in the keep-web context.
Updated by Tom Clegg over 8 years ago
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
Applied in changeset arvados|commit:866d70d438744683bc4f4ea3d1172205e17466a2.