(spyglass/lenses) allow configuration sandbox permissions #296
Conversation
This provides the ability to configure iframe sandbox permissions pr lense. This allows the operator of the prow installation to define which permissions it trust to each lense. PR comes from the ideas and discussions in kubernetes-sigs#294 Signed-off-by: Roy Sindre Norangshol <[email protected]>
k8s-ci-robot
added
cncf-cla: yes
|
Hi @norrs. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/M
✅ Deploy Preview for k8s-prow ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| iframe_sandbox_permissions: | ||
| - allow-scripts | ||
| - allow-popups | ||
| - allow-popups-to-escape-sandbox |
There was a problem hiding this comment.
Updated this as it looked like a sane idea to do if this is supposed to demostrate a full configuration file example.
| var defaultSandboxPermissions = strings.Join( | ||
| []string{ | ||
| "allow-scripts", | ||
| "allow-top-navigation", | ||
| "allow-popups", | ||
| "allow-same-origin", | ||
| }, | ||
| " ", | ||
| ) |
There was a problem hiding this comment.
This is defaultSandboxPermissions for the parsedConfig, tho I personally like to work with arrays instead of strings with foo bar zar.
Not sure if you prefer this or the allow-scripts allow-top-navigation allow-popups allow-same-origin instead.
Please let me know, I'll update if you want to change it.
There was a problem hiding this comment.
Suggestion is to do another PR after this to adjust the defaults to not combine allow-same-origin together with allow-scripts, but I suppose this needs to be communicated to the users of the prow installation, so they are aware of the ability to configure this pr lense.
There was a problem hiding this comment.
Arrays sound reasonable to me, and I think it's easier to catch differences.
And that sounds good to me.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
ghost
mentioned this pull request
|
Do you need anything more from me on this? |
|
Closed #294 in favor of this PR. Doing a ping/cc here from the people who were active in 294 ( @michelle192837 @smg247 @BenTheElder . ) Would be nice if we could get this in? 🙏 |
|
Thanks for the ping and apologies for the delay, this dropped off my radar >< I'll review today! |
| var defaultSandboxPermissions = strings.Join( | ||
| []string{ | ||
| "allow-scripts", | ||
| "allow-top-navigation", | ||
| "allow-popups", | ||
| "allow-same-origin", | ||
| }, | ||
| " ", | ||
| ) |
There was a problem hiding this comment.
Arrays sound reasonable to me, and I think it's easier to catch differences.
And that sounds good to me.
| @@ -61,6 +62,14 @@ func TestGetConfig(t *testing.T) { | |||
| } | |||
| return d | |||
| }(), | |||
| }, { | |||
There was a problem hiding this comment.
nit: Add test case verifying what the iframe permissions are if none are specified.
There was a problem hiding this comment.
Added test @michelle192837 , good nit 👍
norrs
force-pushed
the
norrs/spyglass/allow-configuration-of-sandbox-permissions-per-lense
branch
from
fe2591e to
1cd2aad
Compare
if providing sandbox iframe sandbox permissions configuration which is empty, it should provide no prvileges for the sandbox and not fall back to the defaults. if you want defaults, you should not configure the iframe.sandbox_permissions. Signed-off-by: Roy Sindre Norangshol <[email protected]>
norrs
force-pushed
the
norrs/spyglass/allow-configuration-of-sandbox-permissions-per-lense
branch
from
1cd2aad to
44d0098
Compare
k8s-ci-robot
added
the
lgtm
|
Seems like we need an approval from cmd/checkconfig/OWNERS: @chases2 , @stevekuznetsov or @cjwagner |
|
Those folks are no longer working on Prow unfortunately. I think this should get approval from someone in https://github.com/kubernetes-sigs/prow/blob/main/OWNERS until that OWNERS file is fixed. (Pulling randomly) @petr-muller or @matthyx ? |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: matthyx, michelle192837, norrs The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This provides the ability to configure iframe sandbox permissions pr lense. This allows the operator of the prow installation to define which permissions it trust to each lense.
PR comes from the ideas and discussions in
#294