[ARVADOS] updated: 2.1.0-263-g5727f6452

Git user git at public.arvados.org
Thu Jan 21 15:56:17 UTC 2021 

Summary of changes:
 doc/api/keep-web-urls.html.textile.liquid        | 14 ++++++++++----
 doc/install/install-keep-web.html.textile.liquid |  3 ++-
 2 files changed, 12 insertions(+), 5 deletions(-)

       via  5727f64521ea7222422dd48e48793a0fe10253f4 (commit)
      from  f64f557db0bfe6f33d434853a94ee5cff7e69a5d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 5727f64521ea7222422dd48e48793a0fe10253f4
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Thu Jan 21 12:55:13 2021 -0300

    17109: Explains how keep-web handles requests with tokens in the URL.
    
    Adds a reference to the RFC that explains the Same-Site concept.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/doc/api/keep-web-urls.html.textile.liquid b/doc/api/keep-web-urls.html.textile.liquid
index f9f8f2955..90df5b9fd 100644
--- a/doc/api/keep-web-urls.html.textile.liquid
+++ b/doc/api/keep-web-urls.html.textile.liquid
@@ -41,10 +41,6 @@ The first form (with @--@ instead of @.@) avoids the cost and effort of deployin
 
 In all of the above forms, the @collections.example.com@ part can be anything at all: keep-web itself ignores everything after the first @.@ or @-- at . (Of course, in order for clients to connect at all, DNS and any relevant proxies must be configured accordingly.)
 
-{% include 'notebox_begin' %}
-Although keep-web doesn't care about the domain part of the URL, the clients do: specially when rendering inline content, because keep-web uses the @Set-Cookie@ header with the @SameSite=Lax@ attribute, that requires the domain part of the URL to match between keep-web and workbench.
-{% include 'notebox_end' %}
-
 In all of the above forms, the @uuid_or_pdh@ part can be either a collection UUID or a portable data hash with the @+@ character optionally replaced by @-@ . (When @uuid_or_pdh@ appears in the domain name, replacing @+@ with @-@ is mandatory, because @+@ is not a valid character in a domain name.)
 
 In all of the above forms, a top level directory called @_@ is skipped. In cases where the @path/file.txt@ part might start with @t=@ or @c=@ or @_/@, links should be constructed with a leading @_/@ to ensure the top level directory is not interpreted as a token or collection ID.
@@ -77,3 +73,13 @@ pre. http://collections.example.com/collections/download/uuid_or_pdh/TOKEN/foo/b
 A regular Workbench "download" link is also accepted, but credentials passed via cookie, header, etc. are ignored. Only public data can be served this way:
 
 pre. http://collections.example.com/collections/uuid_or_pdh/foo/bar.txt
+
+h2(#same-site). Same-site requirements for requests with tokens
+
+Although keep-web doesn't care about the domain part of the URL, the clients do: specially when rendering inline content.
+
+When a client passes a token in the URL, keep-web sends a redirect response placing the token in a @Set-Cookie@ header with the @SameSite=Lax@ attribute. The browser will ignore the cookie if it's not coming from a _same-site_ request, and thus its subsequent request will fail with a @401 Unauthorized@ error.
+
+This mainly affects Workbench's ability to show inline content, so it should be taken into account when configuring both services' URL schemes.
+
+You can read more about the definition of a _same-site_ request at the "RFC 6265bis-03 page":https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2
\ No newline at end of file
diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 7381127a7..69d14e0b9 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -89,7 +89,8 @@ Note the trailing slash.
 
 {% include 'notebox_begin' %}
 Whether you choose to serve collections from their own subdomain or from a single domain, it's important to keep in mind that they should be served from me same _site_ as Workbench for the inline previews to work.
-As an example of same _site_ we refer to  @*.collections.ClusterID.example.com@ being on the same site as @workbench.ClusterID.example.com@, but not the same as @workbench.OtherClusterID.example.com at .
+
+Please check "keep-web's URL pattern guide":/api/keep-web-urls.html#same-site to learn more.
 {% include 'notebox_end' %}
 
 h2. Set InternalURLs

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list