-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core,mini-browser: server enhancements #8759
Conversation
57a88c6
to
57ad43c
Compare
57ad43c
to
d4d63fd
Compare
But it is a hack, no? The point of reimplementing with webview or as a VS Code extension is to solve all other issues with the mini browser, like not playing nicely with the shell, focus, keyboard/mouse events propagations and so on without any new configurations. With this PR we don't solve anything else except making one component secure at cost making the system more complex. It's also try partially reinvent webviews with securing resource access, i.e. solving what already solved. I don't think it is the right direction. |
@akosyakov No this is not a hack. Surely, the The most complex thing that was added is the concept of WebSocket validators and adding the notion of known host domains for the backend to validate the origin of incoming WebSocket connections. See this post for more information. This fix is independent from changing how the mini-browser is implemented/hooks into Theia's shell. Right now our main focus is to make the required server changes to fix the bugzilla issue and the re-implementation can be tackled with subsequent work. We'd really like to have those concerns addressed by merging this PR before next release if possible. |
d5190cb
to
2a9e3d4
Compare
Please add the breaking changes section in CHANGELOG, explainign how downstreams should deal with a change. |
@akosyakov I just double-checked the changes and I don't think anything is broken, besides |
@marechal-p Did you try to run mini browser from Gitpod? Should not all downstreams now reconfigure their proxies, dns servers and so on? |
I could not start it by the way from Gitpod at all:
|
Silly import edit: Forgot to push, it was fixed locally |
2a9e3d4
to
b117af9
Compare
Downstream don't need to do a thing. Everything should work like before. Except that now one can set |
@akosyakov Ok I now understand the situation in which gitpod is: your DNS doesn't resolve A temporary hack, and it would be a hack in this case, would be to make the default pattern like |
You cannot assume that everybody is using |
Just found out about CSP and it looks like it could prevent having to validate origins as the browser would prevent the connections from happening automatically. I'll take some time going through this to see if that's the solution. |
We should not mess with remote content but load it as is. If we impose some restrictions on it, it will break user experience. We've been already though all of this while working on webviews. There is no another way than giving own origin to isolate one context from another. |
a65209a
to
31060e4
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to update the PR's description as well, with the default origin - {{uuid}}.mini-browser.{{hostname}}
@vince-fugnitto @marcdumais-work Could you test it please? I will try to find time to check code tomorrow. Hope we land it before release. |
31060e4
to
5a7da4d
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marechal-p I performed a subsequent functional review 👍
- confirmed that the bugzilla
.html
file is successfully handled, while on master it does not. - confirmed that the bugzilla
extension
is successfully handled, while on master it does not. - confirmed that there are no regressions on both the
browser
andelectron
targets when openinghtml
andsvg
files
5a7da4d
to
ef9072d
Compare
ef9072d
to
747b8ba
Compare
@vince-fugnitto Could you check please also that dev servers are still working? see #8759 (comment) |
@akosyakov I confirmed that the |
@marechal-p Could you rebase please? Please also check launch.json and add |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
a3a7ce1
to
cda2d2d
Compare
The mini-browser currently hosts its services on the same origin than Theia's main origin. This commit makes the `mini-browser` serve on its own origin: `{{uuid}}.mini-browser.{{hostname}}` by default. Can be configured with a `THEIA_MINI_BROWSER_HOST_PATTERN` environment variable. Hosting the `mini-browser` on its own origin prevents cross-origin requests from happening easily, but WebSockets don't benefit from the same protection. We need to allow/disallow upgrade requests in the backend application ourselves. This means that in order to know who to refuse, we need to know where we are hosted. This is done by specifying the `THEIA_HOSTS` environment variable. If left empty, no check will be done. But if set, nothing besides what is written in this var will be allowed. See `BackendApplicationHosts` to get the hosts extracted from this var. Note that the latter is not set when running Electron, since there's no need to deal with arbitrary origins, everything should be local. No check is done on the HTTP(s) endpoints because we'll rely on the browser's SOP and CORS policies to take effect. A new contribution point is added: `WsRequestValidatorContribution`. An extender can implement this contribution to allow or not WebSocket connections. Internally used to filter origins and Electron's token as well as checking the origin of requests to prevent some type of XSS. Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
cda2d2d
to
8af656a
Compare
mini-browser: serve on separate origin
The mini-browser currently hosts its services on the same origin than
Theia's main origin. This commit makes the
mini-browser
serve on itsown origin:
{{uuid}}.mini-browser.{{hostname}}
by default. Can beconfigured with a
THEIA_MINI_BROWSER_HOST_PATTERN
environmentvariable.
core: validate ws upgrade origin
Hosting the
mini-browser
on its own origin prevents cross-originrequests from happening easily, but WebSockets don't benefit from the
same protection. We need to allow/disallow upgrade requests in the
backend application ourselves.
This means that in order to know who to refuse, we need to know where we
are hosted. This is done by specifying the
THEIA_HOSTS
environmentvariable. If left empty, no check will be done. But if set, nothing
besides what is written in this var will be allowed. See
BackendApplicationHosts
to get the hosts extracted from this var. Notethat the latter is not set when running Electron, since there's no need
to deal with arbitrary origins, everything should be local.
No check is done on the HTTP(s) endpoints because we'll rely on the
browser's SOP and CORS policies to take effect.
A new contribution point is added:
WsRequestValidatorContribution
.An extender can implement this contribution to allow or not WebSocket
connections. Internally used to filter origins and Electron's token as
well as checking the origin of requests to prevent some type of XSS.
Signed-off-by: Paul Maréchal paul.marechal@ericsson.com
Fixes: https://bugs.eclipse.org/bugs/show_bug.cgi?id=568018
How to test
mini-browser
should work like before:.html
file, open the dev-tools and make sure that the file is served frommini-browser.localhost:3000
.iframe
and open it in a new tab.ws://localhost:3000/services
.THEIA_HOSTS=patate.local:3000
.hosts
file to add an entry like127.0.0.1 patate.local
.THEIA_HOSTS
.Review checklist
Reminder for reviewers