Proposal to make webui-vue the standard

Thu Sep 24 03:17:19 AEST 2020

Phoenix Technologies Ltd. is moving forward with webui-vue and deprecating use of phosphor-webui.
We are very much looking forward to webui-vue be the standard!  The sooner the better.

> -----Original Message-----
> From: openbmc [mailto:openbmc-
> bounces+bruce_mitchell=phoenix.com at lists.ozlabs.org] On Behalf Of Ed
> Tanous
> Sent: Monday, September 21, 2020 10:39
> To: Derick Montague
> Cc: OpenBMC Maillist; Gunnar Mills
> Subject: Re: Proposal to make webui-vue the standard
> 
> On Mon, Sep 21, 2020 at 10:29 AM Derick Montague
> <Derick.Montague at ibm.com> wrote:
> >
> > >> resulting in a decrease of development activity on phosphor-webui
> over the past six months.
> >
> >  > Ironically, you sent this out on the same day Vue 3.0 was announced;
> >  > It looks like the next 2.X Vue release goes to 18 month support.
> >  > Hopefully Vue 2.0->3.0 porting isn't the same thing as Angular 1.X ->
> >  > 2.X.
> >
> > It will not require a complete rewrite. Google abandoned AngularJS
> and Angluar was a complete rewrite,
> > which is one reason they renamed the framework from Angular to
> AngularJS. We can start planning for it
> > now, but many of the supporting libraries are still in beta with a plan of
> being released by the end of
> > 2020.
> 
> That's good to hear that's the case.  I'm in no way saying we should
> go to Vue 3.0 today, just chuckling at the state of the Javascript
> frameworks as a whole.
> 
> >
> > >> Loading webui-vue from the BMC causes content-security-policy
> errors (#32)
> >
> >  > This is important, and having the UI load without errors or warnings
> >  > speaks to the quality of the UI as a whole, and also allows finding
> >  > regressions much easier.  Looking forward to when this lands.
> >
> > Agreed. I am researching this now.
> 
> Sweet.
> 
> >
> > >> The last 2 identified issues, we are looking for community help but
> might take these up ourselves one day:
> > >>
> > >> Mutual TLS (#30)
> >
> >  > This is used, and I think important overall for the security posture
> >  > of OpenBMC.  I would like to avoid regressing the default security of
> >  > OpenBMC in this regard.
> >
> > Agreed, we will be adding the IsAuthenticated cookie check.
> >
> > >> CSRF allow list (#29)
> >
> >  > Do you think the person that checked in the code around the security
> >  > bug could take a look at it?  It looks like Derick wrote the commit
> >  > that needs fixed.
> >  > https://github.com/openbmc/webui-
> vue/commit/e080a1a7593e83a49d623ffdd452fd0e1c617889#diff-
> d33bbe646af7d8d45caaeb27b20b4813
> >
> > Yes, we are looking into this. I am still not quite clear what the CSRF
> "allowlist"
> > is can you point me in the right direction in phosphor-webui?
> >
> >
> >
> >
> 
> phosphor-webui just used the stock angularjs XSRF handling.  I'm
> really surprised there isn't a similar module for Vue.
> 
> The short version is, you can't expose the CSRF key to any server that
> isn't the BMC.  That would be a leak of private information, and while
> not fatal (as you're still protected by the session key) could be
> chained to implement a CSRF attack.
> 
> The important lines of code that you need to implement are:
> https://github.com/angular/angular.js/blob/6706353a71e3c11c56c0b19b
> e03600dac57aafe1/src/ng/http.js#L429
> and
> https://github.com/angular/angular.js/blob/6706353a71e3c11c56c0b19b
> e03600dac57aafe1/src/ng/http.js#L1410
> and
> https://github.com/angular/angular.js/blob/b4e409bf6cd81307f57e51f2f
> 1281b05ceb6cbf2/src/ng/urlUtils.js#L136
> 
> It should be noted, because we don't expect the bmc to be doing any
> cross site scripting, you can simply implement the check against the
> current origin, and don't need to maintain a list anywhere like
> Angular does.