Mercurial > p > roundup > code
view doc/_static/style.css @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | 4553614a2b22 |
| children | 7820cc786b5e |
line wrap: on
line source
/* layout*/ body { font-family: sans-serif, Arial, Helvetica; background-color: white; color: #333; margin:0; padding: 0 3em 0 14em; } body > .header { margin: 0 0 0 -14em;} body > .header div.label { font-size: 2em; font-weight: bold; margin: 0.67em 0 0.67em 1em;} body > .footer { margin: 1em 0 1em -14em; clear:both;} body > .navigation { margin-left: -14em; width: 14em; float: left; } body > .content { width: 100%; margin: 0; } body > .header > #searchbox { position: absolute; right: 1em; top: 1em;} /* style */ :link { color: #bb0000; text-decoration: none;} :visited { color: #770000; text-decoration: none;} a.toc-backref { color: #000000; } .header h1 { margin-left: 1em; } body { font-family: sans-serif, Arial, Helvetica; background-color: #f5f5f5; color: #333; } .menu { margin-right: 1em; padding: 2pt; border: solid thin #dadada; background-color:#ffffff; } .menu ul { list-style-type:none; padding: 0;} .menu ul ul { padding-left: 1em;} .menu li { border-top: solid thin #dadada;} .menu li:first-child { border-top: none;} /* related */ div.related { width: 100%; font-size: 90%; } div.related-top { border-bottom: solid thin #dadada;} div.related-bottom { border-top: solid thin #dadada;} div.related ul { margin: 0; padding: 0 0 0 10px; list-style: none; } div.related li { display: inline;} div.related li.right { float: right; margin-right: 5px; } .footer { font-size: small; text-align: center; color: lightgrey; } .content { padding: 1em; border: solid thin #dadada; background-color: #ffffff; } /* This is a little hack to inject a 'news' block into the title page without having to set up a custom directive. */ #roundup-issue-tracker .note { float: right; width: auto; border: solid thin #dadada; background-color:#f5f5f5; padding: 1em; margin: 1em; } #roundup-issue-tracker .note .admonition-title { display: none; } table { border-collapse: collapse; border-spacing: 1px; background-color: #fafafa; } a.headerlink { font-size: 0.8em; margin-left: 0.3em; color: #c99; } table.footnote { font-size: calc(1em - 1pt); }