This repository has been archived by the owner on Sep 20, 2022. It is now read-only.
Add COEP and COEP header middleware decorator and wildcard route #4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
As for ownership, I was hoping @rupeshparab you could help with step 1 and 2, whereas 3 through 5 are probably best picked up by @jgwerner. Of course I'm around to help (but a bit infrequently: going on holiday tomorrow - but I'm bringing my laptop and will be working a couple of afternoons). |
gzuidhof
commented
Aug 23, 2021
| @@ -46,6 +54,7 @@ def get(self): | |||
|
|
|||
| handlers = [ | |||
| (r"/formgradernext/?", LMSHandler), | |||
| (r"/formgradernext/.*", LMSHandler), | |||
There was a problem hiding this comment.
Alternative to how it is done in #2.
4 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To be able to use Starboard notebook to its full potential we need to set the COOP and COEP header. This is required for Atomics and SharedArrayBuffer to be used since the Spectre vulnerabilities (you can check in the browser console by typing
crossOriginIsolatedwhich should betrueif everything is good).This PR introduces a middleware (not sure what they are called in Tornado, but I suppose its implemented as a decorator) that sets these headers to the correct value.
With these headers we basically opt in to a stricter set of security rules (which is not a bad idea anyway!), but there's a bit of work required before everything will work again:
crossoriginattribute set. So it would be<script src="https://content.illumidesk.com/my-javascript-file.js" crossorigin></script>. This likely means that we have to change some setting in our lms build pipeline that adds these tags. In webpack it'soutput.crossOriginLoading.index.html).content.illumidesk.com. We can set that to a wildcard*(most CDNs will do this, alternatively it could check the origin and see if it's in a whitelist - but that requires server logic in front of it). Screenshot of issue:{ "key": "Cross-Origin-Resource-Policy", "value": "cross-origin" }https://content.illumidesk.com/npm/starboard-notebook(e.g.npm/starboard-notebook@0.13.2/dist/index.html) should additionally have the following headers set:{ "key": "Cross-Origin-Embedder-Policy", "value": "require-corp" }, { "key": "Cross-Origin-Opener-Policy", "value": "same-origin" }(We have a crazy hack from Stefan to not actually require step 5, but we should not rely on that).