Bug 1905416 - Hyperlink not working from Operator Description [NEEDINFO]
Summary: Hyperlink not working from Operator Description
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.6
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
: 4.7.0
Assignee: Jon Jackson
QA Contact: Siva Reddy
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-08 09:58 UTC by Siddhant More
Modified: 2021-02-24 15:41 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Operator descriptions are rendered in a sandboxed iframe, which disables javascript within that iframe. Consequence: When user clicks a `target="_blank"` link within a sandboxed iframe, the sandbox limitations are inherited by the new tab, so javascript will not run on pages that are externally linked this way. Fix: Add `allow-popups-to-escape-sandbox` to operator description iframe sandbox attribute, which opens new tabs outside of the sandbox. Result: External links from operator description iframes now open and run normally.
Clone Of:
Environment:
Last Closed: 2021-02-24 15:41:14 UTC
Target Upstream Version:
simore: needinfo? (schituku)
jonjacks: needinfo? (schituku)
sbhavsar: needinfo? (schituku)


Attachments (Terms of Use)
URL instead of here link (128.35 KB, image/png)
2021-01-27 01:18 UTC, Siva Reddy
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 7797 0 None closed Bug 1905416: Fix sandboxed links in MarkdownView iframe 2021-02-18 01:38:55 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:41:37 UTC

Description Siddhant More 2020-12-08 09:58:14 UTC
Description of problem:
There is an URL in CU's custom operator description section that redirects to a page outside of OCP. 	
	~ When we click on this URL the external page fails to load. 
	~ When we open the URL in a new tab(Right-click + open in new tab) the page loads fine.

Version-Release number of selected component (if applicable):
RHOCP 4.6.z 

How reproducible:
Always

Steps to Reproduce:
================
- Prereq:
	~ Create a project:
```
# cat ns.yaml

kind: Project
apiVersion: project.openshift.io/v1
metadata:
  name: ta-sample 

# oc create -f ns.yaml

```
	~ Create role binding
``
# cat crb.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ta-sample-cluster-admin
subjects:
  - kind: ServiceAccount
    name: ta-operator
    namespace: ta-sample
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin

# oc create -f crb.yaml
``

- Install the operator. 
	~ Login to web-console 
	~ Navigate to Operator Hub
	~ Search for "Transformation Advisor Operator"
	~ Click "Install" 
	~ IMP: Select "Update Channel" as "stable" 
	~ Installed Namespace: Select the one we created(ta-sample) 
	~ Click "Install" 
================

Actual results: 
Now that the operator is installed, check the following text from the operator description:
~~~
`IBM Cloud Transformation Advisor` helps you plan, prioritize, and package your on-premise workloads for modernization on OpenShift Container Platform. Documentation for the product can be found `here`. 
~~~

Clicking on the hyperlink from the above text doesn't load the page.

Expected results:
Clicking on the hyperlinks should load the page.

Additional info: 


The Operator Description contains a simple and valid link to a page on the partner's web site.

However, when a user clicks on the link, the browser starts loading the target page, https://www.ibm.com/garage/method/practices/learn/ibm-transformation-advisor, which has a JavaScript link in the HTML header. This immediately causes the browser to abort the page load, because the iframe in which the loading is taking place was not configured by the OCP web server to allow off-site script execution.

Comment 1 Kevin Rizza 2020-12-08 16:09:54 UTC
Moving this to Console, as this appears to be an issue with the UI.

Comment 2 Yadan Pei 2020-12-09 03:28:04 UTC
I tried the steps but didn't reproduce the issue, when I click on the hyperlinks in Description all links are opened 

`IBM Cloud Transformation Advisor`(hyperlink1) helps you plan, prioritize, and package your on-premise workloads for modernization on OpenShift Container Platform. Documentation for the product can be found `here`.(hyperlink2)

I checked both on 4.6 and 4.7

Comment 3 Siddhant More 2020-12-10 13:47:22 UTC
Hi Yadan,

Thanks for looking into this. I am still seeing the aforementioned issue. 

Can you confirm when you click(Left mouse click) on the hyperlink the page opens in a new tab, BUT the web-page content is blank? 
With a "Right-click + open in a new tab", the page opens in a new tab AND the web-page content loads as expected. 

I will soon share images of what I see and am meaning to say in order to showcase the issue.

Comment 5 Yadan Pei 2020-12-16 03:14:13 UTC
You are right Siddhant, I can reproduce your issue today and got exactly the same results with you

Comment 6 Yadan Pei 2020-12-16 03:16:07 UTC
it looks like when we left click the links, the content is blocked by browser

Comment 10 Siva Reddy 2021-01-27 01:17:20 UTC
 Now instead of "here" link the urls are hard coded into the description. Not sure if it is intended solution so returning the bug back.

the pr is part of the commit
# git log 4aee12793b7c5e3594e5963bafc3d33bad026857 | grep '#7797'
    Merge pull request #7797 from TheRealJon/1905416

Version:
 4.7.0-0.nightly-2021-01-25-231006

Steps to reproduce: 
  the same exact steps mentioned in the bug description (https://bugzilla.redhat.com/show_bug.cgi?id=1905416#c0).

attached the screen shot of the issue.

Comment 11 Siva Reddy 2021-01-27 01:18:25 UTC
Created attachment 1751079 [details]
URL instead of here link

Comment 12 Siddhant More 2021-01-27 09:07:05 UTC
Hi Siva, 

>> Now instead of "here" link the urls are hard coded into the description. Not sure if it is intended solution so returning the bug back.
-> This is not an intended solution. The customer has modified the description to have the URL hardcoded so the end-users can copy->paste the URL into a browser and reach the destination page that will load the web page content completely. (Since it is the same as right-click, copy URL and then paste)

I believe the reason you are seeing the URL hardcoded in the description is that you chose to install v2.3 of the operator. Install the "stable" version of the operator and you will be able to see the hyperlinks. I can confirm the same at the time of writing this comment as I deployed the operator and verified it right now. The same about selecting the stable channel is mentioned in the bug description.
~~
	~ IMP: Select "Update Channel" as "stable" 
~~ 

I request you to give it a shot with the stable channel. 

Thanks!

Comment 13 Yadan Pei 2021-02-03 02:53:46 UTC
Follow the exact steps in https://bugzilla.redhat.com/show_bug.cgi?id=1905416#c0

After operator installed successfully, check Installed Operators description: 

`IBM Cloud Transformation Advisor` helps you plan, prioritize, and package your on-premise workloads for modernization on OpenShift Container Platform. Documentation for the product can be found `here`.

click on the two hyperlinks and all pages are opened successfully

Verified on 4.7.0-0.nightly-2021-02-02-164630

Comment 16 Yadan Pei 2021-02-18 01:56:01 UTC
Clear my NEEDINFO

Comment 19 errata-xmlrpc 2021-02-24 15:41:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.