Fix templates which asset path points to external URL #1690
Conversation
|
@nabokihms can you please rebase your branch? |
nabokihms
force-pushed
the
fix-relative-url
branch
from
1acf434
to
681d09e
Compare
| @@ -176,6 +176,11 @@ func loadTemplates(c webConfig, templatesDir string) (*templates, error) { | |||
| //assetPath is static/main.css | |||
| //relativeURL("/dex", "/dex/auth", "static/main.css") = "../static/main.css" | |||
| func relativeURL(serverPath, reqPath, assetPath string) string { | |||
| if u, err := url.ParseRequestURI(assetPath); err == nil && u.Scheme != "" { | |||
There was a problem hiding this comment.
Not sure if this is actually correct. //kubernetes.io/images/favicon.png would be perfectly valid HTML as well.
There was a problem hiding this comment.
//kubernetes.io/images/favicon.png will be treated as a relative path because of the URL scheme is empty. Do you think we should limit the scheme to http/https instead?
There was a problem hiding this comment.
//kubernetes.io/images/favicon.png is a valid URI and and I'm not sure it should be rewritten as a relative path.
Furthermore, Dex should usually be served over HTTPS, which means having an HTTP URL on the site will probably trigger browser security behavior.
TBH, that makes me think if supporting external URLs is a good idea in the first place.
There was a problem hiding this comment.
I made this PR because:
- It can be handy to use with prebuilt docker images from the official repo. You only need to specify one URL in the config to add an icon instead of adding it to the docker image.
- It fixes the broken behavior. Someone might suffer because of such breaking changes.
But I agree with the concerns that you raised. Frankly, we need to make a decision here.
There was a problem hiding this comment.
So after thinking about this for a looooooong time, I think we can assume that people should always use HTTPS URLs these days, so not supporting the schemaless URL should be fine. I'm also not concerned about using http urls on an https site: if someone does that, it's their problem.
Limiting the scheme, however, is an interesting question. Does that pose a security risk if we just allow using any schemes there? not sure.
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
nabokihms
force-pushed
the
fix-relative-url
branch
from
681d09e
to
70505b2
Compare
nabokihms
changed the title
| @@ -176,6 +176,11 @@ func loadTemplates(c webConfig, templatesDir string) (*templates, error) { | |||
| //assetPath is static/main.css | |||
| //relativeURL("/dex", "/dex/auth", "static/main.css") = "../static/main.css" | |||
| func relativeURL(serverPath, reqPath, assetPath string) string { | |||
| if u, err := url.ParseRequestURI(assetPath); err == nil && u.Scheme != "" { | |||
There was a problem hiding this comment.
So after thinking about this for a looooooong time, I think we can assume that people should always use HTTPS URLs these days, so not supporting the schemaless URL should be fine. I'm also not concerned about using http urls on an https site: if someone does that, it's their problem.
Limiting the scheme, however, is an interesting question. Does that pose a security risk if we just allow using any schemes there? not sure.
Description:
#1554 breaks the ability to specify an icon for header using external URL like this one.
I added check, that if assetURL points to external URL, no transformations required.