[Workbench] Add trust_all_content configuration to mirror keep-web's
This should be false by default, because it means you're vulnerable to XSS. But setting it to true and using keep-web would be better than falling back to the arv-get code, so it's worthwhile.
- The configuration setting is trust_all_content. It's default false. When true, Workbench will redirect users to keep-web even when that exposes XSS vulnerabilities.
- There should be a comment in application.default.yml explaining the security risks of the feature to administrators. It should also note that the corresponding setting must also be enabled on keep-web.
- Add a section to the Workbench install guide that explains this configuration, with basically the same wording.
- There's already a test that the XSS protection kicks in. That should continue passing when trust_all_content is false. Add a test alongside it that the redirect happens normally when trust_all_content is true.
#4 Updated by Radhika Chippada almost 5 years ago
Added the Workbench config param and the corresponding support.
Regarding updating the Workbench install guide: Since we had been working very hard to keep the order of steps in documentation clear without jumping from one page to the other, it didn't seem adding this config parameter to Workbench install guide would be desirable. We do not have any other mentions of keep-web install and configuration in workbench install guide. Hence, I added this to the "services/keep-web/doc.go" which seemed like the best place given that it is already addressing other workbench config in the keep-web context.