Closed fkorotkov closed 3 years ago
thanks for reporting, I’ll look into it
@fkorotkov Can you provide steps to reproduce?
Sure thing. You can go to this branch fkorotkov/microservices#reproduce-qodana-report-issue.
Then please generate a report via:
docker run --rm -v $PWD/:/data/project/ jetbrains/qodana --save-report --report-dir=report
Then you can install this NPM package for serving files. I've created serve.json
config file to set the header. Now you can run serve
command and navigate to http://localhost:5000/report to see the issue.
@fkorotkov Hello again, there is a bigger problem with sandbox
than localStorage exceptions. We request json files with reported problems via javascript and sandbox
doesn't allow this too. The quickest way around this is use allow-same-origin
with sandbox
and then blacklist localhost:5000
for cookies (and other storages) in your browser settings. I've handled the localStorage (, sessionStorage etc) exceptions, so they won't bother you once the new version is shipped
Is there any chance that this solution won't contradict with the point of using sandbox
in your case? If no, than we should rename the issue and I'll try something else, starting with fine tuning serve.json
to whitelist reported json files
The point of using sandboxing is to not allow access to cookies. It is a hard requirement to use cookies for Qodana reports to fully function? I think it's OK if it won't be able to save some user preferences in favor of better security.
allow-scripts
in the header allows your JS scripts to load other JS files, CSS and Json. So it should be OK to "request json files with reported problems via javascript".
@fkorotkov No, it's not a hard requirement, Qodana can work without cookies and localStorage (I've handled it, my fix will be shipped)
However, it looks like sandbox is more restrictive than just cookies and, allow-scripts
doesn't solve this:
So what I'm asking is how restrictive are your security concerns - whether I am fine tuning the config to make this work without allow-same-origin
(or going further if it's possible and necessary) or is it ok for you to block cookies and web storages via browser while using allow-same-origin
with your sandbox
Qodana can work without cookies and localStorage
I think we can close this issue then and I'll check back once your changes shipped. I have a suspicions that the reports will work and this might be an issue with the serve
command and how it serves local files.
Looking forward to the release with your chnages!
We are securing all user generated reports with the following HTTP header:
Which makes sure the user generated files won't have access to cookies and localStorage for security purposes. In case of Qodana report I'm seeing a blank page and the following error:
which comes from
SA-main.js:1
.