Fix web UI index path http security headers #4517
Merged
+17
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
generall
force-pushed
the
fix-web-ui-index-path-http-security-headers
branch
from
8a699db
to
44d03d5
Compare
Rendez
force-pushed
the
fix-web-ui-index-path-http-security-headers
branch
from
44d03d5
to
836ced3
Compare
xzfc
reviewed
Jun 24, 2024
timvisee
approved these changes
Jun 25, 2024
timvisee
added a commit
that referenced
this pull request
Jun 25, 2024
* Draft: web-ui root endpoint x-frame-options: deny header * Switch to async * Simplify setting frame options header by using DefaultHeaders --------- Co-authored-by: timvisee <[email protected]>
9 tasks
timonv
pushed a commit
to bosun-ai/swiftide
that referenced
this pull request
Jun 28, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [qdrant/qdrant](https://qdrant.com/) ([source](https://togithub.com/qdrant/qdrant)) | service | patch | `v1.9.2` -> `v1.9.7` | --- ### Release Notes <details> <summary>qdrant/qdrant (qdrant/qdrant)</summary> ### [`v1.9.7`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.7) [Compare Source](https://togithub.com/qdrant/qdrant/compare/v1.9.6...v1.9.7) ### Change log #### Improvements - [qdrant/qdrant#4517 - Do not allow embedding the web UI in an iframe - [qdrant/qdrant#4556 - Include HNSW configuration in snasphots to fix some edge cases #### Bug fixes - [qdrant/qdrant#4555 - Fix panic on start with sparse index from versions 1.9.3 to 1.9.6 - [qdrant/qdrant#4551 - Fix positive/negative points IDs being excluded when using recommendation search with `lookup_from` ### [`v1.9.6`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.6) [Compare Source](https://togithub.com/qdrant/qdrant/compare/v1.9.5...v1.9.6) ### Change log #### Bug fixes - [qdrant/qdrant#4472 - fix potential panic on recovery sparse vectors from crash - [qdrant/qdrant#4426 - improve error message on missing payload index - [qdrant/qdrant#4375 - fix in-place updates for sparse index - [qdrant/qdrant#4523 - fix missing payload index issue, introduced in v1.9.5 ### [`v1.9.5`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.5) [Compare Source](https://togithub.com/qdrant/qdrant/compare/v1.9.4...v1.9.5) ### Change log #### Features - [qdrant/qdrant#4254 - Add pyroscope integration for continuous profiling on demand #### Improvements - [qdrant/qdrant#4309 - Allow to configure default number of shards per node - [qdrant/qdrant#4317 - Allow to overwrite optimizer settings via config - [qdrant/qdrant#4312, [qdrant/qdrant#4369 - Improve vector size estimations, making index thresholds more reliable - [qdrant/qdrant#4428 - Improve default maximum segment size, base it on number of CPUs used for indexing - [qdrant/qdrant#4370 - Use consistent RocksDB settings for both put and remove - [qdrant/qdrant#4376 - Improve ordering of insertions and deletions in RocksDB - [qdrant/qdrant#4371 - Log error if segment flushing failed on drop - [qdrant/qdrant#4352 - Promote REST request processing problems from warning to error - [qdrant/qdrant#4368 - Improve error messages in cases of missing vectors - [qdrant/qdrant#4391 - Improve shard state log message, not strictly related to snapshot recovery - [qdrant/qdrant#4414 - Improve Dockerfile, don't invalidate caches each commit and allow debug settings #### Bug fixes - [qdrant/qdrant#4402 - Fix deadlock caused by concurrent snapshot and optimization - [qdrant/qdrant#4411 - Fix potentially losing vectors on crash by enabling RocksDB WAL - [qdrant/qdrant#4416, [qdrant/qdrant#4440 - Respect `max_segment_size` on data ingestion with optimizers disabled, create segments as needed - [qdrant/qdrant#4442 - Fix potentially having bad HNSW links on multithreaded systems ### [`v1.9.4`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.4) [Compare Source](https://togithub.com/qdrant/qdrant/compare/v1.9.3...v1.9.4) ### Change log #### Bug fixes - [qdrant/qdrant#4332 - Fix potentially losing a segment when creating a snapshot with ongoing updates - [qdrant/qdrant#4342 - Fix potential panic on start if there is no appendable segment - [qdrant/qdrant#4328 - Prevent panic when searching with huge limit ### [`v1.9.3`](https://togithub.com/qdrant/qdrant/releases/tag/v1.9.3) [Compare Source](https://togithub.com/qdrant/qdrant/compare/v1.9.2...v1.9.3) ### Change log #### Improvements - [qdrant/qdrant#4165 - Handle Out-Of-Disk on insertions gracefully - [qdrant/qdrant#3964 - Faster consensus convergence with batched updates - [qdrant/qdrant#4301 - Deduplicate points by ID for custom sharding #### Bug fixes - [qdrant/qdrant#4307 - Fix overflow panic if scroll limit is usize::MAX - [qdrant/qdrant#4322 - Fix panic with missing sparse vectors after recovery of corrupted storage #### Web UI - [qdrant/qdrant-web-ui#183 - Notification for miss-configured collections Full change log: https://github.com/qdrant/qdrant-web-ui/releases/tag/v0.1.26 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/bosun-ai/swiftide). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQyMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The web-ui
/dashboardendpoint can currently be embedded as an iframe. Adding the headerX-Frame-Options: DENYshall protect against it.In terms of the approach taken with actix_web, it would have been ideal if
actix_files::Filesallowed to set HTTP headers, but it only allows a handful of flags likeetag,last_modifiedorcontent_disposition, which fall short of our needs.This is why for the root path reading the
index.htmlfile a custom handler has been introduced:web_ui_index.Awaiting for feedback in the approach before writing any kind of tests.
All Submissions:
devbranch. Did you create your branch fromdev?New Feature Submissions:
cargo +nightly fmt --allcommand prior to submission?cargo clippy --all --all-featurescommand?Changes to Core Features: