bbende commented on pull request #4659: URL: https://github.com/apache/nifi/pull/4659#issuecomment-726796835
I feel like maintaining this list is going to be very challenging, how would anyone know to update this? The most correct solution to me would be for us to use a Cookie for the interacts between NiFi UI and the REST API, this way the credentials are submitted on all requests, similar to how a client certificate is automatically submitted. We would still want to support the current Authorization header approach for direct API access. If we have a good reason for not doing that, and we still want to pursue some type of allow list, could it be done with some kind of patterns? Not sure if all the front-end stuff comes from some base path that we could just allow anything that starts with the base path, or maybe use extensions and say that we allow any .html, .css, .js, etc. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
