X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/51169558811743fcd2e21e4b9397f9fb2d4766b0..e4c30dbf271df0633efce61c630a29c89bc43bff:/apps/workbench/config/application.default.yml

diff --git a/apps/workbench/config/application.default.yml b/apps/workbench/config/application.default.yml
index c4a92d2739..5400debbfd 100644
--- a/apps/workbench/config/application.default.yml
+++ b/apps/workbench/config/application.default.yml
@@ -213,6 +213,9 @@ common:
   # when anonymous_user_token is configured, show public projects page
   enable_public_projects_page: true
 
+  # by default, disable the "Getting Started" popup which is specific to the public beta install
+  enable_getting_started_popup: false
+
   # Ask Arvados API server to compress its response payloads.
   api_response_compression: true
 
@@ -254,3 +257,22 @@ common:
   # Example:
   # keep_web_download_url: https://download.uuid_prefix.arvadosapi.com/c=%{uuid_or_pdh}
   keep_web_download_url: false
+
+  # In "trust all content" mode, Workbench will redirect download
+  # requests to keep-web, even in the cases when keep-web would have
+  # to expose XSS vulnerabilities in order to handle the redirect.
+  #
+  # When enabling this setting, the -trust-all-content flag on the
+  # keep-web server must also be enabled.  For more detail, see
+  # https://godoc.org/github.com/curoverse/arvados/services/keep-web
+  #
+  # This setting has no effect in the recommended configuration, where
+  # the host part of keep_web_url begins with %{uuid_or_pdh}: in this
+  # case XSS protection is provided by browsers' same-origin policy.
+  #
+  # The default setting (false) is appropriate for a multi-user site.
+  trust_all_content: false
+
+  # Maximum number of historic log records of a running job to fetch
+  # and display in the Log tab, while subscribing to web sockets.
+  running_job_log_records_to_fetch: 2000