Consider using the config file in the PR branch rather the in the main repo #10
Comments
|
I think this is fine as long as it can be previewed with https://tobie.github.io/pr-preview/config.html. The security problem I can see is that if a reviewer clicks the "Preview" link without first reviewing the config change they're opening themselves up to XSS attacks. |
Which right now it can't. :( |
|
That explains my problem. |
|
Yeah, apologies. I hadn't thought about the config helper at all. The config helper just shows the raw output of the bikeshed/respec builder. The post-processing happens after that stage, right before uploading the output to S3. I'd need to do the same (or something similar) for the config stuff. Not top of mind right now, tbh. |
|
Can I test on a branch of the real repository whatwg/streams, or should I just land it on master and see what happens? |
|
Just land it. And use whatever next PR's on your radar to check it. I'll be able to tweak things on my side without messing up your PR if it doesn't work right away. |
The reason this was avoided is that it's just easier to handle from a security perspective. Maybe this can be relaxed as it seems to be confusing people.
The text was updated successfully, but these errors were encountered: