Fork me on GitHub
#luminus
<
2017-09-27
>
puzzler06:09:25

There don't seem to be any docs, either on the website, or in the book, on how to use the ajax file that comes with the luminus template.

puzzler06:09:40

Is it as simple as calling load-interceptors at some point in your application prior to making ajax calls?

puzzler06:09:25

It also seems to me that js/csrfToken wouldn't even work in advanced compilation mode.

puzzler06:09:13

So is the ajax file from the template even useful, if using advanced compilation mode?

yogthos21:09:32

the ajax namespace is just there to setup the interceptors, you don’t really need to do anything with it unless you wish to add more inteceptors

yogthos21:09:59

the js/csrfToken reference still works with advanced compilation as well

puzzler21:09:33

Thanks. What are the rules about which js/* forms get mangled by advanced and which don't? I thought almost nothing was safe from advanced.

puzzler21:09:42

I'm working with a company who will be including my luminus site inside of an iframe. Currently, they are getting an error that x-frame-options is set to same origin. I'm researching how to address this, and it looks like there is some ring middleware to allow specific origins, but there are all sorts of warnings that allow-from isn't supported by certain browsers. I'm not sure what that means that it is not supported -- does it mean browsers like Chrome won't be able to load the iframe or they will. Next, I see some talk about Chrome supporting something called CSP instead. Is there some unified way of dealing with all of this?

yogthos21:09:30

oh I actually had to deal with the x-frame-options stuff recently

yogthos21:09:06

not sure if there’s any unified way to handle it

yogthos21:09:00

setting (header "Access-Control-Allow-Origin" "origin") where origin is the host should address that

yogthos21:09:11

and you can use * for any origin

yogthos21:09:09

if you’re using ring-defaults, you also have to create your own defaults with different :frame-options

:security  {:anti-forgery         false
               :xss-protection       {:enable? true, :mode :block}
               :frame-options        :sameorigin
               :content-type-options :nosniff}

puzzler22:09:47

Yes, I'm using the luminus template which uses ring-defaults.

puzzler22:09:13

What you listed above, is that the existing default, or what you are recommending I change to?

puzzler22:09:27

Looks like the luminus template sets :anti-forgery to false, handling the anti-forgery in a separate piece of middleware instead. :xss-protection, :frame-options, and :content-type-options stay the same as the default, which is what you listed above.

puzzler23:09:40

Do you happen to know whether the X-Frame-Options: ALLOW-FROM http://mycompany.com header would prevent the frame from including it if the user had used https?

puzzler23:09:12

Since several browsers do not respect ALLOW-FROM, have you tried using frame-ancestors instead, with ring/luminus? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors