Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
We need a block for an iframe for issues from security.drupal.org
Comment | File | Size | Author |
---|---|---|---|
#11 | 2189621-securitydrupalorg.diff | 795 bytes | drumm |
#11 | 2189621-ajax.diff | 2.15 KB | drumm |
#1 | 2189621.patch | 990 bytes | mlhess |
Comments
Comment #1
mlhess CreditAttribution: mlhess commentedComment #2
mgiffordWhy are you suggesting an iframe? I don't think that's how the other feeds are added.
Comment #3
gregglesOther feeds contain content from d.o. This one contains content from security.drupal.org. We don't want that content syndicated into drupal.org because it has to be private and drupal.org doesn't have any access control system in place (other than published/unpublished, and the list of people who see unpublished things on d.o is very trustworthy but much larger than the list that sees private security issues).
Is there a reason you are opposed to an iframe?
Comment #4
gregglesComment #5
mgiffordThat's a good reason to use an iframe. Thanks for the explanation @greggles.
Comment #6
drummI tried this out with AJAX, as attached. AJAX will be a bit nicer because:
But I ran into "No 'Access-Control-Allow-Origin' header is present on the requested resource." I think security.drupal.org's response would need to include headers:
Is setting those headers something we can do, or would it open up security.drupal.org too much? It would be good to establish a pattern we want to use for groups.drupal.org and other subsites.
If we need to stick to an iframe, it needs a closing tag. I saw you demoed including some CSS on staging. Can that go live?
Comment #7
drummComment #8
gregglesI think it's fine, as long as we only set it to trusted sites (like d.o).
Comment #9
Damien Tournoud CreditAttribution: Damien Tournoud commentedAs long as we only add the Access-Control header to this particular GET endpoint (and not to the whole sdo site), it's fine for me.
Comment #10
drummOk, I'm thinking the logic to add headers will be easier to write and maintain in securitydrupalorg module, rather than anything higher up, like Varnish rules.
Comment #11
drummAttached is a patch for securitydrupalorg module. And a tested drupalorg patch.
Comment #12
mlhess CreditAttribution: mlhess commentedThis has been deployed to s.d.o.
Comment #13
drummCommitted, but not deployed yet.
Comment #14
drummComment #15
drummDeployed.
Comment #16
gregglesIt seems like this defaults to off. Can we default it to on or figure out some group of people for whom we want to default it to on?
Comment #17
mgiffordModule maintainers? Folks who have security as a tag in their interests? Who would be the group? Also, I see
Is this the default message that folks should see when this block is enabled?
Comment #20
markhalliwellThis stopped working when s.d.o was upgraded to 7.x:
XMLHttpRequest cannot load https://security.drupal.org/dofeed. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.drupal.org' is therefore not allowed access.
Comment #21
drummhttp://cgit.drupalcode.org/securitydrupalorg/tree/securitydrupalorg.modu... needs to be ported to 7.x.
Comment #22
drummComment #25
drummNow fixed and deployed.
Comment #26
gregglesThanks, drumm!