Story #8177

[Workbench] Add trust_all_content configuration to mirror keep-web's

Added by Brett Smith almost 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Radhika Chippada
Category:
Workbench
Target version:
Start date:
01/18/2016
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
0.5

Description

This should be false by default, because it means you're vulnerable to XSS. But setting it to true and using keep-web would be better than falling back to the arv-get code, so it's worthwhile.

  • The configuration setting is trust_all_content. It's default false. When true, Workbench will redirect users to keep-web even when that exposes XSS vulnerabilities.
  • There should be a comment in application.default.yml explaining the security risks of the feature to administrators. It should also note that the corresponding setting must also be enabled on keep-web.
  • Add a section to the Workbench install guide that explains this configuration, with basically the same wording.
  • There's already a test that the XSS protection kicks in. That should continue passing when trust_all_content is false. Add a test alongside it that the redirect happens normally when trust_all_content is true.

Subtasks

Task #8220: Review branch: 8177-keep-web-trust-all-content-flagResolvedTom Clegg

Associated revisions

Revision 866d70d4
Added by Tom Clegg almost 5 years ago

Merge branch '8177-keep-web-trust-all-content-flag' closes #8177

History

#1 Updated by Brett Smith almost 5 years ago

  • Target version set to Arvados Future Sprints

#2 Updated by Brett Smith almost 5 years ago

  • Description updated (diff)
  • Category set to Workbench
  • Story points set to 0.5

#3 Updated by Radhika Chippada almost 5 years ago

  • Status changed from New to In Progress
  • Assigned To set to Radhika Chippada
  • Target version changed from Arvados Future Sprints to 2016-01-20 Sprint

#4 Updated by Radhika Chippada almost 5 years ago

Added the Workbench config param and the corresponding support.

Regarding updating the Workbench install guide: Since we had been working very hard to keep the order of steps in documentation clear without jumping from one page to the other, it didn't seem adding this config parameter to Workbench install guide would be desirable. We do not have any other mentions of keep-web install and configuration in workbench install guide. Hence, I added this to the "services/keep-web/doc.go" which seemed like the best place given that it is already addressing other workbench config in the keep-web context.

#5 Updated by Tom Clegg almost 5 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 0 to 100

Applied in changeset arvados|commit:866d70d438744683bc4f4ea3d1172205e17466a2.

Also available in: Atom PDF