Proposal to make webui-vue the standard
Derick Montague
Derick.Montague at ibm.com
Tue Sep 22 03:28:59 AEST 2020
>> resulting in a decrease of development activity on phosphor-webui over the past six months.
> Ironically, you sent this out on the same day Vue 3.0 was announced;
> It looks like the next 2.X Vue release goes to 18 month support.
> Hopefully Vue 2.0->3.0 porting isn't the same thing as Angular 1.X ->
> 2.X.
It will not require a complete rewrite. Google abandoned AngularJS and Angluar was a complete rewrite,
which is one reason they renamed the framework from Angular to AngularJS. We can start planning for it
now, but many of the supporting libraries are still in beta with a plan of being released by the end of
2020.
>> Loading webui-vue from the BMC causes content-security-policy errors (#32)
> This is important, and having the UI load without errors or warnings
> speaks to the quality of the UI as a whole, and also allows finding
> regressions much easier. Looking forward to when this lands.
Agreed. I am researching this now.
>> The last 2 identified issues, we are looking for community help but might take these up ourselves one day:
>>
>> Mutual TLS (#30)
> This is used, and I think important overall for the security posture
> of OpenBMC. I would like to avoid regressing the default security of
> OpenBMC in this regard.
Agreed, we will be adding the IsAuthenticated cookie check.
>> CSRF allow list (#29)
> Do you think the person that checked in the code around the security
> bug could take a look at it? It looks like Derick wrote the commit
> that needs fixed.
> https://github.com/openbmc/webui-vue/commit/e080a1a7593e83a49d623ffdd452fd0e1c617889#diff-d33bbe646af7d8d45caaeb27b20b4813
Yes, we are looking into this. I am still not quite clear what the CSRF "allowlist"
is can you point me in the right direction in phosphor-webui?
More information about the openbmc
mailing list