Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow self for iframes in web service #4031

Merged
merged 1 commit into from
Jun 28, 2022
Merged

Allow self for iframes in web service #4031

merged 1 commit into from
Jun 28, 2022

Conversation

kulmann
Copy link
Member

@kulmann kulmann commented Jun 27, 2022

Description

For a silent token renewal via iframe we need to allow self as frame ancestor.
If a refresh token exists (i.e. when offline_access is present in the requested scopes) this is not needed.

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

@kulmann kulmann requested a review from C0rby June 27, 2022 08:21
@kulmann kulmann self-assigned this Jun 27, 2022
@kulmann
Copy link
Member Author

kulmann commented Jun 27, 2022

@C0rby this allows frame-ancestor: 'self' for the full web service. Do you think it should be restricted to certain endpoints? Or is it fine like this?

@micbar
Copy link
Contributor

micbar commented Jun 28, 2022

@kulmann this was affected by the rename of extensions. Could you rebase?

@kulmann kulmann force-pushed the allow-silent-refresh-in-iframe branch from 00a3e2a to a5c2fde Compare June 28, 2022 08:44
@sonarcloud
Copy link

sonarcloud bot commented Jun 28, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@kulmann kulmann merged commit 530bba5 into master Jun 28, 2022
@delete-merged-branch delete-merged-branch bot deleted the allow-silent-refresh-in-iframe branch June 28, 2022 10:23
ownclouders pushed a commit that referenced this pull request Jun 28, 2022
@kulmann
commit 530bba5
5f92182 
Merge: 5cfa823 a5c2fde
Author: Benedikt Kulmann <benedikt@kulmann.biz>
Date:   Tue Jun 28 12:23:34 2022 +0200

    Merge pull request #4031 from owncloud/allow-silent-refresh-in-iframe

    Allow self for iframes in web service
@C0rby
Copy link
Contributor

C0rby commented Jun 28, 2022

frame-ancestor: 'self'

This should be fine. 👍

@micbar micbar mentioned this pull request Jul 19, 2022
Closed
36 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@micbar micbar micbar approved these changes

@pascalwengerter pascalwengerter Awaiting requested review from pascalwengerter

@C0rby C0rby Awaiting requested review from C0rby

Assignees

@kulmann kulmann

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kulmann @micbar @C0rby