Comments (5)
Great demo today! Very excited to see what's to come with extensions.
TL;DR - I think the options for https requirement and disallowing of redirects should be managed on and extention-by-extension basis as part of the TREX config. The ability to enforce these rules are great, but should be optional. Perhaps have them default as you suggest, but allow overrides in config. Or if that's not possible, maybe you could make it a Global server config option.
We have lots of plans for extensions where I work but it seems like some of these options favor security over flexibility. In one use case, I would want to implement extensions on a small intranet where SSL isn't part of the current environment. (Yes, I wish everything was SSL but it's not always my call) In other cases I would absolutely want to enforce the above rules such as in internet environments facing clients.
As for redirects, I see that as less of an issue - especially with allowing oAuth in a dialogue, but I'd still love to have the flexibility if the need arose.
Thanks again!
from extensions-api.
Disabling redirects would drop support for systems using SAML.
from extensions-api.
What makes you assume tableau server being connected directly to the internet or even to the intranet?
Bad idea without any advantages for us. Suggest you leave the implementation of https/redirection to your clients and focus on your API.
Our load balancers take care of ssl. We are running multiple domains. Our tableau server is unreachable without load balancer. I don't want to configure all the certificate stuff in tableau server and I fear that your restrictions will require a lot of (unecessary) work or end up being incompatible with our setup. Disabling redirects is the same.
For other clients it may be interesting but please give us the freedom to opt-out in the server config.
from extensions-api.
Hi all, ( @sharif-zakhary @austinderrick @rulrich1 )
Thank you so much for the feedback. The main thing we're hearing is that restricting redirects will limit flexibility and prevent SAML authentication. Due to that, we have a new proposal that we think we provide admins with the correct amount of security but also allow flexibility for redirects.
We have a meeting with our security team this afternoon to review that proposal. Pending that meeting, we will present our new proposal tomorrow (Wed) at our Spring Demos. I will also create a new issue with the proposal and will link to it when I have that up.
We also hear that forcing https could cause some deployment issues and perhaps isn't necessary for internal deployments of Server. The challenge is that, based on our conversations with various admins, we need to at least start with the default of forcing https. Allowing admins to turn that restriction off is a pretty good idea, but it might actually be a decent amount of work for us so we plan on adding it to our backlog and think it's unlikely that we will ship our first version of Extensions with that ability.
If any of you three (or anyone else) would be up for talking about the deployment scenarios of Extensions, please email me at mkovner at tableau.
from extensions-api.
Here is the new proposal
Summary: Redirects allowed but the api will only communicate with pages from the origin registered in the extension manifest.
I am closing this proposal, because of the opening of the new proposal. We are looking forward to more productive conversation on that issue.
from extensions-api.
Related Issues (20)
- Embedded extensions not respecting the "Hide" login prompt setting HOT 2
- Consider removing Community Portal from docs HOT 3
- Future documentation improvements
- Permission mismatch on Tableau Server/Online HOT 2
- Transparency for non sandboxed extensions HOT 4
- Tooltips do not display on dashboards with an extension - 2021.4 HOT 1
- Kepler.gl Extension breaks in 2021.1+ versions of Tableau Desktop HOT 3
- No way to apply parameters to data retrieved HOT 3
- Can't start extension after adding a table HOT 3
- Using Sets on filter causes getMarksAsync error HOT 4
- Artifactory links need to be replaced in Tutorial\ReactVersion\yarn.lock HOT 2
- MarksInfo undefined using getSummaryDataAsync HOT 1
- npm tableau/tabextsandbox has vulnerabilities HOT 2
- The extension javascript files contain sourceMappingURL, but not the actual map files. HOT 6
- Finding the padding on a dashboard object HOT 1
- Extensions API crashes when dashboard contains worksheet with lots of data. HOT 8
- Question / Possible Issue: Working with Azure App Service deployment is non-responsive HOT 2
- Extension API crashes while extracting worksheet data HOT 1
- Extension api breaks when there is no data in sheet, Issue related to DataTableReader HOT 9
- Command "." not found when running "npm run tslint"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from extensions-api.