Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add allow-same-origin to deck/spyglass sandbox #22921

Merged
merged 1 commit into from
Nov 4, 2021
Merged

Add allow-same-origin to deck/spyglass sandbox #22921

merged 1 commit into from
Nov 4, 2021

Conversation

fgimenez
Copy link
Contributor

Fixes #22417

Not sure what to do about https://github.com/kubernetes/test-infra/blob/master/prow/spyglass/write-a-lens.md#sandboxing, will this change affect the ability to access the parent window?

/cc @BenTheElder

Signed-off-by: Federico Gimenez [email protected]

@k8s-ci-robot k8s-ci-robot requested a review from BenTheElder July 16, 2021 18:32
@k8s-ci-robot
Copy link
Contributor

Hi @fgimenez. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. area/prow Issues or PRs related to prow area/prow/deck Issues or PRs related to prow's deck component area/prow/spyglass Issues or PRs related to prow's spyglass UI sig/testing Categorizes an issue or PR as relevant to SIG Testing. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 16, 2021
@BenTheElder
Copy link
Member

/ok-to-test

I'm not sure re: sandboxing, it's not my usual domain 😅

I'm also not sure who currently working in the project would know more.

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 16, 2021
alvaroaleman
alvaroaleman approved these changes Jul 26, 2021
View reviewed changes
Copy link
Member

@alvaroaleman alvaroaleman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We control what we put into the iframe so this should be fine. Not a frontend specialist though.
/assign @cjwagner
/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 26, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 26, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alvaroaleman, fgimenez

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 26, 2021
@cjwagner
Copy link
Member

/assign @e-blackwelder
Could you please help review this PR, Ethan? I'm only vaguely familiar with how origin policies work and I don't feel comfortable approving without the eyes of a SME.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 31, 2021
@fgimenez fgimenez force-pushed the update-spyglass-sandbox branch from 5ac5b31 to 05c8516 Compare July 31, 2021 16:12
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 31, 2021
@fgimenez fgimenez force-pushed the update-spyglass-sandbox branch from 05c8516 to 6ad7772 Compare August 1, 2021 16:36
@fgimenez fgimenez mentioned this pull request Aug 3, 2021
Closed
6 tasks
@BenTheElder
Copy link
Member

will this change affect the ability to access the parent window?

no not the window.

BenTheElder
BenTheElder reviewed Oct 14, 2021
View reviewed changes
Copy link
Member

@BenTheElder BenTheElder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 14, 2021
@BenTheElder
Copy link
Member

/lgtm
/test all

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 4, 2021
@k8s-ci-robot k8s-ci-robot merged commit 890606c into kubernetes:master Nov 4, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Nov 4, 2021
@fgimenez fgimenez deleted the update-spyglass-sandbox branch November 4, 2021 16:33
@Katharine
Copy link
Member

Since I'm looking at this and thinking about it, noting this for anyone who cares:

Having both allow-scripts and allow-same-origin removes any security properties provided by the sandbox: allow-same-origin allows the frame to modify its parent, which enables it to remove the sandbox properties. This is probably not important right now, but may matter if you ever enable remote lenses.

The other perhaps-unintentional effect allow-same-origin has is enabling access to APIs not explicitly provided to lenses, potentially resulting in surprise maintenance burdens. As designed, this was not supposed to be permitted — though I can't speak to whether you still care.

@BenTheElder BenTheElder mentioned this pull request Mar 24, 2022
Closed
@michelle192837 michelle192837 mentioned this pull request Oct 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BenTheElder BenTheElder BenTheElder left review comments

@alvaroaleman alvaroaleman alvaroaleman approved these changes

Assignees

@BenTheElder BenTheElder

@cjwagner cjwagner

@alvaroaleman alvaroaleman

@e-blackwelder e-blackwelder

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/prow/deck Issues or PRs related to prow's deck component area/prow/spyglass Issues or PRs related to prow's spyglass UI area/prow Issues or PRs related to prow cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

spyglass: missing allow-same-origin breaks viewer(s)
7 participants
@fgimenez @k8s-ci-robot @BenTheElder @cjwagner @Katharine @alvaroaleman @e-blackwelder