Make HTML report work without access to localStorage

[fkorotkov]

We are securing all user generated reports with the following HTTP header:

content-security-policy: sandbox allow-scripts

Which makes sure the user generated files won't have access to cookies and localStorage for security purposes. In case of Qodana report I'm seeing a blank page and the following error:

Failed to read the 'localStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.

which comes from SA-main.js:1.

[subelta]

thanks for reporting, I’ll look into it

[subelta]

@fkorotkov Can you provide steps to reproduce?

[fkorotkov]

Sure thing. You can go to this branch fkorotkov/microservices#reproduce-qodana-report-issue.

Then please generate a report via:

 docker run --rm -v $PWD/:/data/project/ jetbrains/qodana --save-report --report-dir=report 

Then you can install this NPM package for serving files. I've created serve.json config file to set the header. Now you can run serve command and navigate to http://localhost:5000/report to see the issue.

[subelta]

@fkorotkov Hello again, there is a bigger problem with sandbox than localStorage exceptions. We request json files with reported problems via javascript and sandbox doesn't allow this too. The quickest way around this is use allow-same-origin with sandbox and then blacklist localhost:5000 for cookies (and other storages) in your browser settings. I've handled the localStorage (, sessionStorage etc) exceptions, so they won't bother you once the new version is shipped

Is there any chance that this solution won't contradict with the point of using sandbox in your case? If no, than we should rename the issue and I'll try something else, starting with fine tuning serve.json to whitelist reported json files

[fkorotkov]

The point of using sandboxing is to not allow access to cookies. It is a hard requirement to use cookies for Qodana reports to fully function? I think it's OK if it won't be able to save some user preferences in favor of better security.

allow-scripts in the header allows your JS scripts to load other JS files, CSS and Json. So it should be OK to "request json files with reported problems via javascript".

[subelta]

@fkorotkov No, it's not a hard requirement, Qodana can work without cookies and localStorage (I've handled it, my fix will be shipped)

However, it looks like sandbox is more restrictive than just cookies and, allow-scripts doesn't solve this:

So what I'm asking is how restrictive are your security concerns - whether I am fine tuning the config to make this work without allow-same-origin (or going further if it's possible and necessary) or is it ok for you to block cookies and web storages via browser while using allow-same-origin with your sandbox

[fkorotkov]

Qodana can work without cookies and localStorage

I think we can close this issue then and I'll check back once your changes shipped. I have a suspicions that the reports will work and this might be an issue with the serve command and how it serves local files.

Looking forward to the release with your chnages!