projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 39b8872)
15606: Add error message and doc link to XSS protection error.
authorTom Clegg <tclegg@veritasgenetics.com>
Mon, 28 Oct 2019 19:25:17 +0000 (15:25 -0400)
committerTom Clegg <tclegg@veritasgenetics.com>
Mon, 28 Oct 2019 19:25:17 +0000 (15:25 -0400)
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>

doc/install/install-keep-web.html.textile.liquid patch | blob | history
services/keep-web/handler.go patch | blob | history
services/keep-web/handler_test.go patch | blob | history

diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 902ced0372a972449db08452b59c888a47f1d237..a8833f44da20b8492227b46c7470a0cf5a26bfa2 100644 (file)
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -100,7 +100,7 @@ server {
 If you restrict access to your Arvados services based on network topology -- for example, your proxy server is not reachable from the public internet -- additional proxy configuration might be needed to thwart cross-site scripting attacks that would circumvent your restrictions. Read the "'Intranet mode' section of the Keep-web documentation":https://godoc.org/github.com/curoverse/arvados/services/keep-web#hdr-Intranet_mode now.
 {% include 'notebox_end' %}
 
-h3. Configure DNS
+h3(#dns). Configure DNS
 
 Configure your DNS servers so the following names resolve to your Nginx proxy's public IP address.
 * @download.uuid_prefix.your.domain@
diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index b4fe1bd4000793c82926c8b6b6c80a017b06baf2..728fdb0a35ea147f1cd71dfcddf1d9b47a26054f 100644 (file)
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -733,7 +733,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
                        // into a cookie unless the current vhost
                        // (origin) serves only a single collection or
                        // we are in TrustAllContent mode.
-                       w.WriteHeader(http.StatusBadRequest)
+                       http.Error(w, "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)", http.StatusBadRequest)
                        return
                }
 
diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index 34333d43424863c9ced8662a5f6867de6723e48b..aefd0fd08dd20c24a03182c6e967acfccbdcc6ae 100644 (file)
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -349,7 +349,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenSingleOriginError(c *check
                "",
                "",
                http.StatusBadRequest,
-               "",
+               "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n",
        )
 }
 
@@ -424,7 +424,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenAttachmentOnlyHost(c *chec
                "",
                "",
                http.StatusBadRequest,
-               "",
+               "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n",
        )
 
        resp := s.testVhostRedirectTokenToCookie(c, "GET",