Contrib.social

Add configuration for allowed Data & Insights hosts

Open on Drupal.org →
Created on 22 September 2023, over 1 year ago
Updated 26 September 2023, over 1 year ago

Problem/Motivation

Most Data & Insights systems are self-hosted. That means that we will want to validate that an embed is on an allowed domain.

Proposed resolution

Developers can specify a list of allowed domains in a text field, one per line, in a configuration form

Acceptance criteria

If an embed does not match an allowed domain when being created, throw an error message:

“The Data & Insights server is not currently allowed to use for embeds on this site. The embed must be hosted at one of
.”

Add optional support for the CSP module. If it’s installed, automatically add the source to the allowed list of iframes. The help text of the configuration field should call out this support so it’s not a surprise.

Remaining tasks

  • Add integration test for showing multiple errors instead of validating one domain at a time
  • Add integration test for CSP integration

User interface changes

New settings form with a textbox for the domains, one per line.

API changes

N/A

Data model changes

Config object added.
Config schema added.

Feature request
Status

Fixed

Version

1.0

Component

Code

Created by

🇪🇸Spain penyaskito Seville 💃, Spain 🇪🇸, UTC+2 🇪🇺

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024