Add a block for issues from security.drupal.org

Why are you suggesting an iframe? I don't think that's how the other feeds are added.

Other feeds contain content from d.o. This one contains content from security.drupal.org. We don't want that content syndicated into drupal.org because it has to be private and drupal.org doesn't have any access control system in place (other than published/unpublished, and the list of people who see unpublished things on d.o is very trustworthy but much larger than the list that sees private security issues).

Is there a reason you are opposed to an iframe?

That's a good reason to use an iframe. Thanks for the explanation @greggles.

I tried this out with AJAX, as attached. AJAX will be a bit nicer because:

• The height should adjust to the content automatically.
• The styles should carry through.

But I ran into "No 'Access-Control-Allow-Origin' header is present on the requested resource." I think security.drupal.org's response would need to include headers:

Access-Control-Allow-Origin: https://drupal.org ; or staging/dev site that made the request
Access-Control-Allow-Credentials: true ; so cookies can be sent

Is setting those headers something we can do, or would it open up security.drupal.org too much? It would be good to establish a pattern we want to use for groups.drupal.org and other subsites.

If we need to stick to an iframe, it needs a closing tag. I saw you demoed including some CSS on staging. Can that go live?

Is setting those headers something we can do, or would it open up security.drupal.org too much? It would be good to establish a pattern we want to use for groups.drupal.org and other subsites.

I think it's fine, as long as we only set it to trusted sites (like d.o).

As long as we only add the Access-Control header to this particular GET endpoint (and not to the whole sdo site), it's fine for me.

Ok, I'm thinking the logic to add headers will be easier to write and maintain in securitydrupalorg module, rather than anything higher up, like Varnish rules.

Attached is a patch for securitydrupalorg module. And a tested drupalorg patch.

Committed, but not deployed yet.

Deployed.

It seems like this defaults to off. Can we default it to on or figure out some group of people for whom we want to default it to on?

Module maintainers? Folks who have security as a tag in their interests? Who would be the group? Also, I see

Your Security Issues

No issues match your criteria.

Is this the default message that folks should see when this block is enabled?

This stopped working when s.d.o was upgraded to 7.x:
XMLHttpRequest cannot load https://security.drupal.org/dofeed. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.drupal.org' is therefore not allowed access.

http://cgit.drupalcode.org/securitydrupalorg/tree/securitydrupalorg.modu... needs to be ported to 7.x.

Now fixed and deployed.

Thanks, drumm!