-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(spyglass/lenses/html) add allow-forms to sandbox #294
base: main
Are you sure you want to change the base?
Conversation
|
Welcome @norrs! |
Hi @norrs. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: norrs The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
✅ Deploy Preview for k8s-prow ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
This adds allow-forms to the iframe sandbox. > Blocked form submission to '' because the form's frame is sandboxed and the 'allow-forms' permission is not set. This allow's us to click the <a href=link-to-buildbuddy-invocation target=_blank> which links to streaming build results on buildbuddy, as we use bazel with remote builders on buildbuddy.io and the buil-logs uploaded to S3 only contains this hyperlink. With this change we allow chrome to handle the login process at buildbuddy.io which requires a form-post to handle login over SSO. https://web.dev/articles/sandboxed-iframes Original lens PR: kubernetes/test-infra#10208 Later changes that are similar to this one: allow same-origin: kubernetes-sigs@b9a0167 allow popups: kubernetes/test-infra#23069 Signed-off-by: Roy Sindre Norangshol <[email protected]>
6a2668b
to
0b11741
Compare
I thought I had personally signed this CLA under this umbrella, anyhow , updated to commit this under Cisco even if I did this outside working hours. cncf/gitdm#506 has an update on the contributor listing |
/ok-to-test I don't know browsers & web apps enough to judge if this has risks, I hope one of the assigned reviewers has a chance to look |
I'm not super familiar with the risks of this either, but I can take a look into it. |
Here is my thought on the security considerations: (I hope I get this correct): We already allow it to execute javascript from the iframe, which means it can already do more or less a lot. So allow-forms is not really a huge change. I suppose an attack vector with allowing And iframe is supposed to already be security hardened, just sandbox is taking this to the next level and starts with a privileged mode (read: zero privileges) and you have to grant the privileges the sandbox (the website inside the iframe) requires to run. But Im unsure if I understand what's stated in here: kubernetes/test-infra#10208 and Rendering implementation .. Maybe @Katharine, @paulangton or @BenTheElder could chime in with some knowledge and expertise? 🙏 I suppose maybe even better approach would be if there was a way to tune these allowed sandbox arguments as a configuration option, but I haven't researched how easy/achievable this is. I also learned something new which might make the PR not needed (?):
I can share is that this weird chrome iframe bringing sandbox properties to new sites when reusing a tab that was opened from an sandboxed iframe is quite weird from an user's perspective. I would expect if I visit a new URL in the browser in the tab, that it wouldn't bring with sandbox properties from a site I visited >1 page ago. See buildbuddy-io/buildbuddy#7684 if you are curious how I ended up here. but if we drop this PR, maybe a security review over It kinda would suck if the I guess it comes down to what is the threat model? Is it maybe intended to only ensure you embed trusted sources in the spy glass? There is also the option of (Sorry for the wall of text, I'm on uncomfortable grounds and I'm thinking out loud 😅 ) |
Thanks, that's more detailed than what I was about to post 😅 While we're discussing it, do you have an example link to Spyglass for what you're trying to enable? (I looked at the linked discussion in buildbuddy but didn't see a Spyglass example there or here). Relevant as well: the discussion on the original PR for allow-same-origin: kubernetes/test-infra#22921 |
My first lean is that if this is already opening a new tab/window and it's clear this is an external link (so go at your own risk), (I do think separately, we should probably review |
So we are running prow inside our business unit at Cisco, so the only thing I can provide is a screenshot where I have hidden a bit things, but it should give you the gist of my problem in a visual presentation:
Interesting, it seems to have been discussed before as well.
I have to admit that I would agree with this one, and the threat model should be operator of the prow installation that should be responsible for what it trust and define what to add spyglasses to. and also this statement about mixing the Comes back to : kubernetes/test-infra#10208 and Rendering implementation . So I kinda come around to: is it better to document that the threat model is up to the operator of the prow instance to only spyglass sources it trusts? But from the twitter example on https://web.dev/articles/sandboxed-iframes : When reading this over again, I belive this support my statement about the threat model, and a proper enhancement would be to be able for the operator of the prow installation to define this pr spyglass. This way it can sandbox each spyglass properly according to it needs. But hopefully we could argue that this probably is out-of-scope for this PR? So then the question remains, do we simply add Another thing about the My mind wandered over this thought as well: edit: formatting pictures into a quote |
Oh, when I write spyglass, maybe I actually mean a lense .. so maybe I do understand it now, the security enhancement around lenses .. was to be solved in the future.. and I believe my suggestion above might sound like what an improved security enhancement could work? 😅 |
I don't think we should allow this by default, if we're going to weaken the sandbox in any way this should be opt-in and prow.k8s.io will not opt-in. Why not write the log link out to a file that renders the URL directly, instead of inside the streaming logs? |
agreed |
This provides the ability to configure iframe sandbox permissions pr lense. This allows the operator of the prow installation to define which permissions it trust to each lense. PR comes from the ideas and discussions in kubernetes-sigs#294 Signed-off-by: Roy Sindre Norangshol <[email protected]>
I agree, I believe this is achievable with https://github.com/kubernetes-sigs/prow/pull/296/files , and also turns this PR void/not needed.
🤔 Good question, my hunch is that this allows it to show several logs from artifacts uploaded in the object bucket without having to update the configuration from prow. |
This adds allow-forms to the iframe sandbox.
This allow's us to click the
<a href=link-to-buildbuddy-invocation target=_blank>
which links to streaming build results on buildbuddy, as we use bazel with remote builders on buildbuddy.io and the buil-logs uploaded to S3 only contains this hyperlink.With this change we allow chrome to handle the login process at buildbuddy.io which requires a form-post to handle login over SSO.
https://web.dev/articles/sandboxed-iframes
Original lens PR: kubernetes/test-infra#10208
Later changes that are similar to this one:
allow same-origin: b9a0167
allow popups: kubernetes/test-infra#23069