-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ref(toolbar): check allowed origins in iframe view #77756
base: master
Are you sure you want to change the base?
Conversation
…on implementation of origin check
Codecov ReportAttention: Patch coverage is ✅ All tests successful. No failed tests found.
Additional details and impacted files@@ Coverage Diff @@
## master #77756 +/- ##
===========================================
+ Coverage 56.23% 78.10% +21.87%
===========================================
Files 6974 6989 +15
Lines 309287 310110 +823
Branches 50629 50742 +113
===========================================
+ Hits 173932 242222 +68290
+ Misses 130937 61443 -69494
- Partials 4418 6445 +2027 |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Finish the todos. Add test coverage.
33d488a
to
8b20e90
Compare
Do we have any need for this response header? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors |
Updates iframe view to lookup the project from the URL param, after auth. Handles missing project and allowed origins for the request (set up by a project setting).
Decided with @ryan953 we'll only allow wildcards in the project settings, for the leftmost subdomain only.
Closes #77214