Yes. You are right. There is such functionality. We missed it because there is no integration test for it.
Another sad thing is that this functionality last time worked with Che5 + Codenvy. Because it uses
authentification methods that are no longer exist in Che6/7 era.
What we can do:
With CORS filter on workspace master.
1. Do not upgrade tomcat with the latest security fixes. Does anybody think that this is a good idea?
2. Allow configuring "origins" from the configuration. Quite useless since we don't know all the possible locations.
3. Disable auth on CORS. Limits functionality to public methods only.
4. Remove CORS at all from the master. In this way, we remove potential CORS vulnerabilities on ws-master from the agenda.
My preference: 4 or 3.
With "export to private cloud" - functionality.
1. Just create a bug about not working functionality and forget.
3. Fix this functionality in the combination of some sort of OAuth + server-side service method to be able safely sent authorization data.
I think 3 can quickly look like as 1. That is why I think 2 is the best way.
Thoughts?
The dashboard is not an issue if we talking about the same host.
With ws-master, they are on the same domain. With agent: we are going to allow the request from dashboard's host.
