in fedramp, it's important that clients do not send auth token to resources outside of the "fedramp" boundary. therefore, we should only send auth headers in the following cases
the resource is in the u2c catalog
the resource is in the list of allowed domains
by making the following changes
i changed the allowedDomains to be empty in FedRAMP by default. if the user wants more domains in fedramp, they can pass them through config or by setAllowedDomains(). in commercial, we keep the existing list of allowedDomains.
the reason webex.com cannot be a default allowedDomain in fedramp is because there are commercial sites, like cisco.webex.com and we don't want fedramp users sending their auth tokens to arbitrary commercial *.webex sites
Change Type
[x] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)
[ ] Documentation update
[ ] Tooling change
[ ] Internal code refactor
The following scenarios where tested
manually tested with config value fedramp: false
manually tested with config value fedramp: true
ran web client automated playwright E2E tests with config value fedramp: false
ran web client automated playwright E2E tests with config value fedramp: true
in commercial make request to cisco.webex.com (request added auth headers since within *.webex allowed domains
in commercial make request to cisco.webex.com (SDK does not add auth header) since it's not within catalog/not allowed domain
COMPLETES https://jira-eng-gpk2.cisco.com/jira/browse/SPARK-531900
This pull request addresses
in fedramp, it's important that clients do not send auth token to resources outside of the "fedramp" boundary. therefore, we should only send auth headers in the following cases
by making the following changes
i changed the allowedDomains to be empty in FedRAMP by default. if the user wants more domains in fedramp, they can pass them through config or by
setAllowedDomains()
. in commercial, we keep the existing list of allowedDomains. the reason webex.com cannot be a default allowedDomain in fedramp is because there are commercial sites, like cisco.webex.com and we don't want fedramp users sending their auth tokens to arbitrary commercial *.webex sitesChange Type
The following scenarios where tested
fedramp: false
fedramp: true
fedramp: false
fedramp: true
*.webex
allowed domainsI certified that
[x] I have read and followed contributing guidelines
[x] I discussed changes with code owners prior to submitting this pull request
[x] I have not skipped any automated checks
[x] All existing and new tests passed
[x] I have updated the documentation accordingly
Make sure to have followed the contributing guidelines before submitting.