Arvados

This should be false by default, because it means you're vulnerable to XSS. But setting it to true and using keep-web would be better than falling back to the arv-get code, so it's worthwhile.

• The configuration setting is trust_all_content. It's default false. When true, Workbench will redirect users to keep-web even when that exposes XSS vulnerabilities.
• There should be a comment in application.default.yml explaining the security risks of the feature to administrators. It should also note that the corresponding setting must also be enabled on keep-web.
• Add a section to the Workbench install guide that explains this configuration, with basically the same wording.
• There's already a test that the XSS protection kicks in. That should continue passing when trust_all_content is false. Add a test alongside it that the redirect happens normally when trust_all_content is true.