17109: Explains how keep-web handles requests with tokens in the URL.

Adds a reference to the RFC that explains the Same-Site concept.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas@di-pentima.com.ar>

diff --git a/doc/api/keep-web-urls.html.textile.liquid b/doc/api/keep-web-urls.html.textile.liquid
index f9f8f29559902e3ba6d63c05cf80b617dc9643eb..90df5b9fd6fc4ff8452726d10aae86630ecb6263 100644 (file)
--- a/doc/api/keep-web-urls.html.textile.liquid
+++ b/doc/api/keep-web-urls.html.textile.liquid
@@ -41,10 +41,6 @@ The first form (with @--@ instead of @.@) avoids the cost and effort of deployin
 
 In all of the above forms, the @collections.example.com@ part can be anything at all: keep-web itself ignores everything after the first @.@ or @--@. (Of course, in order for clients to connect at all, DNS and any relevant proxies must be configured accordingly.)
 
-{% include 'notebox_begin' %}
-Although keep-web doesn't care about the domain part of the URL, the clients do: specially when rendering inline content, because keep-web uses the @Set-Cookie@ header with the @SameSite=Lax@ attribute, that requires the domain part of the URL to match between keep-web and workbench.
-{% include 'notebox_end' %}
-
 In all of the above forms, the @uuid_or_pdh@ part can be either a collection UUID or a portable data hash with the @+@ character optionally replaced by @-@ . (When @uuid_or_pdh@ appears in the domain name, replacing @+@ with @-@ is mandatory, because @+@ is not a valid character in a domain name.)
 
 In all of the above forms, a top level directory called @_@ is skipped. In cases where the @path/file.txt@ part might start with @t=@ or @c=@ or @_/@, links should be constructed with a leading @_/@ to ensure the top level directory is not interpreted as a token or collection ID.
@@ -77,3 +73,13 @@ pre. http://collections.example.com/collections/download/uuid_or_pdh/TOKEN/foo/b
 A regular Workbench "download" link is also accepted, but credentials passed via cookie, header, etc. are ignored. Only public data can be served this way:
 
 pre. http://collections.example.com/collections/uuid_or_pdh/foo/bar.txt
+
+h2(#same-site). Same-site requirements for requests with tokens
+
+Although keep-web doesn't care about the domain part of the URL, the clients do: specially when rendering inline content.
+
+When a client passes a token in the URL, keep-web sends a redirect response placing the token in a @Set-Cookie@ header with the @SameSite=Lax@ attribute. The browser will ignore the cookie if it's not coming from a _same-site_ request, and thus its subsequent request will fail with a @401 Unauthorized@ error.
+
+This mainly affects Workbench's ability to show inline content, so it should be taken into account when configuring both services' URL schemes.
+
+You can read more about the definition of a _same-site_ request at the "RFC 6265bis-03 page":https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2
\ No newline at end of file

diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 7381127a7ab274a8498e1e0c275f78d49d5f5e29..69d14e0b925c2efafcace9a0fb1197b4b2601d33 100644 (file)
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -89,7 +89,8 @@ Note the trailing slash.
 
 {% include 'notebox_begin' %}
 Whether you choose to serve collections from their own subdomain or from a single domain, it's important to keep in mind that they should be served from me same _site_ as Workbench for the inline previews to work.
-As an example of same _site_ we refer to  @*.collections.ClusterID.example.com@ being on the same site as @workbench.ClusterID.example.com@, but not the same as @workbench.OtherClusterID.example.com@.
+
+Please check "keep-web's URL pattern guide":/api/keep-web-urls.html#same-site to learn more.
 {% include 'notebox_end' %}
 
 h2. Set InternalURLs