It is not clear to me reading documents on the Internet (i.e. Mozilla's MDN Web Docs) about what Content Security Policy is enforced for a web worker.
Let's say we have a parent page which is served with CSP-a, which starts a web worker whose source is downloaded from the same origin but has a different CSP-b. In this scenario what CSP will be enforced by the web browser to the worker? Especially I am interested in the connect-src and script-src.
Also two follow up questions:
if we use fetch() from the worker script, can we specify { credentials: "same-origin" | "include" }?
what if (in terms of CSP enforcement and credentials option of fetch()) the worker script is from a different origin than the parent page?
Related
I want to do OpenID Connect 1.0 authentication for frontend users on my site.
In order to do so, I've developed an authentication service (as described in the docs). Within this service I'd like to access TypoScript configuration values to fetch the OpenID configuration (.well-known-URL, client ID and secret).
To do so, I simply inject TYPO3\CMS\Extbase\Configuration\ConfigurationManagerInterface into the authentication service - but this class only wraps the real configuration manager, which in this case is an instance of TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager - although I am in frontend context. This also affects other places, for example is TYPO3 not able to get the correct plugin configuration (because it is not present in the backend).
I've tracked this down to TYPO3\CMS\Extbase\Configuration\ConfigurationManager::initializeConcreteConfigurationManager, where the existence of $GLOBALS['TYPO3_REQUEST'] is checked - if it does not exist, the BackendConfigurationManager is used as fallback.
So my question: How do I correctly fetch TypoScript configuration within a TYPO3 authentication service?
As already written by Chris. TypoScript is not initialized at this time and I also don't suggest to do so by yourself.
Your options are:
Use the extension configuration which is described here
Use the site settings which are described here
Which one you want to use depends on the usecase. The extension configuration is global and even more lowlevel as now site is used. If you need different setttings for a multi-site installation, the site settings are the prefered choice
I've deployed buildbot in cloud vms, docker, and such. I've been able to setup authentication, but could not disable anonymous access.
It so happens that, I really can't allow anonymous access since it is a private owned resource, worst of all in many logs from build steps, passwords and other sensitive information show up.
buildbot version: 0.9.8
Documentation is scarse/nonexistant on this subject.
Thanks in advance.
Buildbot itself only allows to disable access to REST API. So anonymous users will see 'empty' web interface with no builds, logs etc. Access to the web interface can be disabled only by external web server settings.
Example authz config:
c['www']['authz'] = util.Authz(
allowRules=[
util.AnyEndpointMatcher(role='admins', defaultDeny=False),
util.AnyControlEndpointMatcher(role='admins', defaultDeny=False),
util.AnyEndpointMatcher(role='anonymous')
],
2.5.12.5. Authorization rules
One can implement the default deny policy by putting an AnyEndpointMatcher with nonexistent role in the end of the list. Please note that this will deny all REST apis, and most of the UI do not implement proper access denied message in case of such error.
I am building REST APIs with MicroServices, which means I have different services for providing different resources. Suppose I have below services:
ServiceA is providing resources resourcesA and resourcesA1 with below URLs
https://my-internal-endpoint-for-serviceA/resourcesA
https://my-internal-endpoint-for-serviceA/resourcesA1
ServiceB is providing resources resourcesB and resourcesB1 with below URLs
https://my-internal-endpoint-for-serviceB/resourcesB
https://my-internal-endpoint-for-serviceB/resourcesB1
Now, I want to manage them in Azure API Management. To publish them (by importing the Swagger document from services), API Management portal need an API path for publishing. So, serviceA and serviceB can be published as below:
https://my-api-azure-api.net/serviceA/resourcesA
https://my-api-azure-api.net/serviceA/resourcesA1
https://my-api-azure-api.net/serviceB/resourcesB
https://my-api-azure-api.net/serviceB/resourcesB1
But to be more resources based API management, I am expecting the published APIs to be more like below:
https://my-api-azure-api.net/resourcesA
https://my-api-azure-api.net/resourcesA1
https://my-api-azure-api.net/resourcesB
https://my-api-azure-api.net/resourcesB1
Unfortunately, API management does not allow me for pubshing 2 APIs (serviceA and serviceB) to same path (root path in this case). I don't want to put the service name (or something equivalent) in the URL path as the service name is something duplication of the resource name provided by it. How do I workaround this?
The Azure API Management Policies can help you here, in particular the control flow with the ability to forward requests. The documentation is here: https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-reference
I would approach this by setting up the resources as a single API, by adding one via swagger and then adding in the other services to this one to make it complete (as you want it to appear as a single complete service). Once this is in place you are then free to apply the policies.
Note: you may have to expand the resource path in the following way
https://my-api-azure-api.net/mynewservice/resourcesA
https://my-api-azure-api.net/mynewservice/resourcesA1
https://my-api-azure-api.net/mynewservice/resourcesB
https://my-api-azure-api.net/mynewservice/resourcesB1
Maybe the answer to this question can help:
How to chain APIs using Azure API management
You can use the same policy to map several operations of the same API in API Management to different backend APIs.
But in general all APIs are exposed as <myGateway>.azure-api.net/<myApi>/<myOperation>.
I've built a simple translate service with Node-Red and Watson. The service is ok when called directly from the browser but I have an error ( CORS ) when call the service via http from my Angular app.
Does Bluemix allow CORS ?
Thanks in advance.
Generally speaking Bluemix supports applications that are composed of many independent services deployed to different hostnames. For each application (which can be a service API) that you push to Bluemix, the name you provide will be prepended to .mybluemix.net. If your application follows the best practices of a microservices architecture you will probably have two or more subcomponents that live on different hostnames. Now if you have a front-end that needs to aggregate information from these other Bluemix apps (your AngularJS app) by default the access to other subdomains will be forbidden.
The solution is to take advantage of the standard HTTP headers that are available to control cross-origin resource sharing (CORS) on the Bluemix services that you wish to provide to JavaScript clients:
Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Take a look at the following blog post: Cross-origin resource sharing for Bluemix APIs.
add these code lines in your bluemix-settings.js and repush your app
// The following property can be used to configure cross-origin resource sharing
// in the HTTP nodes.
// See https://github.com/troygoode/node-cors#configuration-options for
// details on its contents. The following is a basic permissive set of options:
httpNodeCors: {
origin: "*",
methods: "GET,PUT,POST,DELETE"
},
Add this code after " functionGlobalContext: { }, "
We have implemented Single Sign-On (SSO) using Kerberos in our production environment.
The configuration of our application is as below.
Operating System: Solaris10
Application Server: WebSphere7.0.0.11
Things are working fine for the Parent domain (MAIL.COM). But the users from child domains (like CO.MAIL.COM, BO.MAIL.COM..) are unable to login to the application.
We have the Kerberos Configuration file with the child domain details also. My doubt is "What are the changes needs to be done at the WAS console (realm related, domain related etc..)"
Thank you very much in advance..!!!