Comments (11)
X-Download-Options
can be skipped then indeed. Generally better to use HTTP headers instead of meta tags indeed 🙂.
from dietpi-dashboard.
Yeah, it was just a thought. Definitely have to fix the terminal login before v1.0.0 though. It came up because of the (mistaken) request for authentication at Fourdee/DietPi-Dashboard#2, where the user was surprised that the terminal auto-logged in.
from dietpi-dashboard.
@ravenclaw900
Is there something blocking an intermediate release from your end? The current nightly/main branch adds/fixes quite a few things compared to last stable release. Also we recognised that the stable aarch64 binary for some reason throws a segmentation fault on RPi 5, while the nightly works. Not sure how this can be, e.g. some change in the architecture/instruction set which is correctly handled with latest compiler, so that a simple rebuild with updated Rust would solve it as well? However, IMO worth it to push a new release better earlier than later. Also this allows us to switch to stable builds for RISC-V SBCs 🙂.
from dietpi-dashboard.
I'd add another task, adding common security headers for private websites:
X-Content-Type-Options "nosniff"
X-Frame-Options "sameorigin"
X-XSS-Protection "1; mode=block"
X-Robots-Tag "none"
X-Download-Options "noopen" # Internet Explorer only, AFAIK hence probably obsolete
X-Permitted-Cross-Domain-Policies "none" # needs testing with multiple backend nodes
Referrer-Policy "no-referrer"
Also CSP and PP headers could be added, to further tailor resource leading and client/browser feature usage to what the dashboard does/is intended to do, but this requires more investigation and testing, above the ones that should work as is.
from dietpi-dashboard.
The dashboard's already dead on IE, it makes heavy use of CSS flexbox. CSP is currently implemented through a <meta>
tag on the HTML, though it's probably better to do with a header.
from dietpi-dashboard.
Just an idea, but instead of password protection on the terminal, how about just calling the login binary instead, so people can log in to either root
or dietpi
, and it will solve the current problem of the login dialog not working on the terminal page.
from dietpi-dashboard.
Sounds pretty reasonable. This would be even a reasonable default IMO, later probably with the option for autologin (with a specific user).
the current problem of the login dialog not working on the terminal page.
What you mean by this? Which login dialog when there is currently none intended?
from dietpi-dashboard.
The dialog works, but the terminal doesn't load, and requires a reload to get working. This is due to the fact that, since the websocket is connected to a PTY, it expects the first message to be the token if there's password protection, otherwise it quits.
from dietpi-dashboard.
Ah you mean the dashboard password input.
Now I get it, you mean to replace the general dashboard password protection on the terminal page with the console login prompt. Hmm, I think this is no good idea. User may not expect this and rely on a strong dashboard password and may have weak local UNIX user passwords or none at all. I thought this as an additional feature, allowing dedicated protection and different user logins for the terminal. But at least other user logins are not so much an argument since one can simply run sudo -u <user> bash
to achieve the same from a root user session. Many users may however be more comfortable (and generally it is advisable) with using an unprivileged login user in general and calling sudo
only where required. With login
we give users the choice, an additional security layer but at the cost of additional required inputs 😉.
from dietpi-dashboard.
when to release?
from dietpi-dashboard.
Honestly, whenever I have time to finish the checklist. I don't want to make any guarantees right now.
from dietpi-dashboard.
Related Issues (20)
- [Feauture request] Add more info in empty space in right lover area HOT 1
- dietpi-dashboard.service: Failed with result 'signal'. HOT 16
- DietPi-Dashboard Logo
- RISC-V builds/support HOT 2
- Incorrect software documentation link: Homer HOT 1
- System crash when using file browser to view docker volumes directory HOT 23
- Possible replacements for JSON communication between frontend and backend HOT 4
- Fingerprint cookie breaks connecting to different nodes HOT 4
- Terminal characters not displaying correctly HOT 6
- unable exit htop in terminal window, leaving terminal window with it running crashes dashboard completely HOT 2
- Feature Request: External Temperature Sensors HOT 2
- CORS error when trying to access second node HOT 2
- Feature Request: Add support for fan status monitoring HOT 8
- Only complie ARMv6 for Raspberry Pi boards HOT 3
- how to change default terminal user? HOT 1
- Intel NUC 7 wrong temp HOT 7
- Terminal does not terminate or reattach opened login session HOT 1
- dietpi-dashboard.service: Failed with result 'signal'. HOT 5
- dietpi dashboard Method not allowed HOT 3
- Feature Request: Preview the contents of displays within the Dashboard HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dietpi-dashboard.