Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add allowed protocol list for file attachment #4143

Merged
merged 4 commits into from
Mar 2, 2022
Merged

Add allowed protocol list for file attachment #4143

merged 4 commits into from
Mar 2, 2022

Conversation

compulim
Copy link
Contributor

@compulim compulim commented Feb 15, 2022
edited
Loading

Fixes #4142.

Changelog Entry

Added

  • Adds allowed protocol list to file attachment and OAuth card, by @compulim, in PR #4143

Description

Added allowed protocol list for file attachment and OAuth card.

Design

When a URL with protocol not on the allowlist, the file attachment UI will no longer render it as downloadable. OAuth card UI should not navigate to the link and should close the popup immediately.

We did not add blob: to the allowlist as it is not allowed today, see the code here for details.

Specific Changes

  • Added allowed protocol list to <FileContent> with http:, https:, and data:
  • Added allowed protocol list to card action middleware, which handle the OAuth card sign-in button, with http: and https:
  • I have added tests and executed them locally
  • I have updated CHANGELOG.md
  • I have updated documentation

Review Checklist

This section is for contributors to review your work.

  • Accessibility reviewed (tab order, content readability, alt text, color contrast)
  • Browser and platform compatibilities reviewed
  • CSS styles reviewed (minimal rules, no z-index)
  • Documents reviewed (docs, samples, live demo)
  • Internationalization reviewed (strings, unit formatting)
  • package.json and package-lock.json reviewed
  • Security reviewed (no data URIs, check for nonce leak)
  • Tests reviewed (coverage, legitimacy)

@compulim compulim added the p0 Must Fix. Release-blocker label Mar 1, 2022
@compulim compulim force-pushed the feat-allowed-protocol branch from e2f7202 to fe04d9c Compare March 1, 2022 05:17
@compulim compulim merged commit ae89df6 into microsoft:main Mar 2, 2022
@compulim compulim deleted the feat-allowed-protocol branch March 2, 2022 18:35
@compulim compulim mentioned this pull request Mar 23, 2022
Closed
This was referenced Apr 6, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwhitten cwhitten cwhitten approved these changes

@a-b-r-o-w-n a-b-r-o-w-n Awaiting requested review from a-b-r-o-w-n a-b-r-o-w-n is a code owner

@srinaath srinaath Awaiting requested review from srinaath srinaath is a code owner

@tdurnford tdurnford Awaiting requested review from tdurnford tdurnford is a code owner

@tonyanziano tonyanziano Awaiting requested review from tonyanziano

@beyackle beyackle Awaiting requested review from beyackle

Assignees
No one assigned
Labels
p0 Must Fix. Release-blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add allowed protocol list to file attachment
2 participants
@compulim @cwhitten