[ARVADOS] updated: 98b8962de675084cebb869bd3314a19d2fe8cf2f

git at public.curoverse.com git at public.curoverse.com
Tue Jan 19 17:38:30 EST 2016

Summary of changes:
 doc/install/install-keep-web.html.textile.liquid | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

  discards  e3e6c4604c2f4717f9177455f107e96794460e94 (commit)
       via  98b8962de675084cebb869bd3314a19d2fe8cf2f (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (e3e6c4604c2f4717f9177455f107e96794460e94)
             N -- N -- N (98b8962de675084cebb869bd3314a19d2fe8cf2f)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

commit 98b8962de675084cebb869bd3314a19d2fe8cf2f
Author: Tom Clegg <tom at curoverse.com>
Date:   Tue Jan 19 17:38:05 2016 -0500

    8177: Offer -trust-all-content option for no-wildcard installs.
    Add alert about XSS on intranet sites.

diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 2b3d312..c7a7b20 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -109,6 +109,10 @@ server {
+{% include 'notebox_begin' %}
+If you restrict access to your Arvados services based on network topology -- for example, your proxy server is not reachable from the public internet -- additional proxy configuration might be needed to thwart cross-site scripting attacks that would circumvent your restrictions. Read the "'Intranet mode' section of the Keep-web documentation":https://godoc.org/github.com/curoverse/arvados/services/keep-web#hdr-Intranet_mode now.
+{% include 'notebox_end' %}
 h3. Configure DNS
 Configure your DNS servers so the following names resolve to your Nginx proxy's public IP address.
@@ -117,7 +121,9 @@ Configure your DNS servers so the following names resolve to your Nginx proxy's
 * @*--collections.uuid_prefix.your.domain@, if you have a wildcard SSL certificate valid for @*.uuid_prefix.your.domain@ and your DNS server allows this without interfering with other DNS names.
 * @*.collections.uuid_prefix.your.domain@, if you have a wildcard SSL certificate valid for these names.
-If neither of the above wildcard options is feasible, only unauthenticated requests (public data and collection sharing links) will be served as web content at @collections.uuid_prefix.your.domain at . The @download@ name will be used to serve authenticated content, but only as file downloads.
+If neither of the above wildcard options is feasible, you have two choices:
+# Serve web content at @collections.uuid_prefix.your.domain@, but only for unauthenticated requests (public data and collection sharing links). Authenticated requests will always result in file downloads, using the @download@ name. For example, the Workbench "preview" button and the "view entire log file" link will invoke file downloads instead of displaying content in the browser window.
+# In the special case where you know you are immune to XSS exploits, you can enable the "trust all content" mode in Keep-web (with the @-trust-all-content@ command line flag) and Workbench (with the @trust_all_content@ item in @application.yml@). With both of these enabled, inline web content can be served from a single @collections@ host name; no wildcard DNS or certificate is needed. Do not do this without understanding the security implications described in the "Keep-web documentation":http://godoc.org/github.com/curoverse/arvados/services/keep-web.
 h3. Tell Workbench about the Keep-web service



More information about the arvados-commits mailing list