Integrating with Earthdata Status App

The Earthdata Status application provides notification banners for the Earthdata web site ( https://earthdata.nasa.gov) and other related applications. Notifications are configured at a central location (https://status.earthdata.nasa.gov) and made available to client applications through public APIs, JavaScript widgets, and end-user-facing status pages.

The primary use cases addressed by the Status application are:

· Planned Maintenance Owners of client applications can push up a banner with information regarding any upcoming maintenance windows, so that users can be notified of any potential issues with the site.

· Emergency Notifications When an unplanned outage occurs, a client application owner can immediately display a banner on impacted sites and applications regarding the outage, and potentially including links to further support/information.

Step-by-step guide

In order to provide notifications for your applications via the Status application

1. Register your application: First register your application with the Status application by making a NAMS Request for "GSFC ESDIS Status App". Choose "Owner" role under Does the user need to integrate Status App into an existing website?.

Select Owner role

Also, enter details for your applications. Namely, name that Status App will use to identify your application (under Please enter a name for your site (Identity used within Status App))

Name to Identify your app within status App

and the URL of your application (under Enter the URL (Web Address) for the site that you would like Status Notifications to be posted to (Please include http:// or https://))

https://my.app.earthdata.nasa.gov

If there are multiple applications that you wish to register, (A test or a QA site for example) click the the "Add" button to show additional fields and enter those sites as separate entries.

Register to be owner of additional apps

An example business justification may look like:

We would like notifications posted on Status App for 'MyApp' to show up on our site <MyDomain>/MyURL

The relevant part of the NAMS form will look like:

NAMS Request form view

2. Add notifications for your application: The NAMS request will be routed to a Status App operator who will register your application. Once your application is registered, an owner for the application designated by you in your request in step 1 can add notifications for your application to the Status App by going to the Status App.

Any active notifications for your site can be made available on your site via two methods. The most basic way with the least amount of work on your part include adding to your site:

1. Add a JS reference to your page:

<script src="https://status.earthdata.nasa.gov/assets/banner_widget.js"></script>

2. Near the top of your page, add:

<!-- Add the Status banner -->
<div id="earthdata-notification-banner"></div>
<!-- End Status banner -->

3. When your page with this div is loaded, the notification banners will be placed (if there are any) within this div.

Using custom javascript and Status application API

Custom notification banners can be created on your site using your own javascript and retrieving notifications via the Earthdata Status API and rendering them. To restrict notifications to your website use the domain parameter with the value of the URL exactly as provided in the Register your application step.

What CSRF protection does Status App support?

Status App has three levels of protection against a user entering malicious code in a notification that is then shown on client app site:

1. The Status App requires you log in via Launchpad, and be approved to post notifications to a specific app.

2. The Status App UI gets CSRF and XSS protection via Rails; you can't post a notification without actually being on the Status app website (you couldn't, for instance, be tricked into posting a notification from some phishing site that pretends to be the Status App).

3. The notifications that users enter are sanitized, so that they can only enter links and some basic formatting for them, but not much else. Only href and target attributes of a elements are supported in messages. Rails sanitizes the href attribute and removes javascript content.

$rails console
Loading development environment (Rails 4.2.8)
2.2.2 :001 > message = "<a href=\"http://www.harmless.com/\" onclick=\"" +
2.2.2 :002 >   "var f = document.createElement('form');" + 
2.2.2 :003 >   "f.style.display = 'none';" + 
2.2.2 :004 >   "this.parentNode.appendChild(f);" + 
2.2.2 :005 >   "f.method = 'POST';" + 
2.2.2 :006 >   "f.action = 'http://www.example.com/account/destroy';" + 
2.2.2 :007 >   "f.submit();" +
2.2.2 :008 >   "return false;\">To the harmless survey</a>"
 => "<a href=\"http://www.harmless.com/\" onclick=\"var f = document.createElement('form');f.style.display = 'none';this.parentNode.appendChild(f);f.method = 'POST';f.action = 'http://www.example.com/account/destroy';f.submit();return false;\">To the harmless survey</a>" 
2.2.2 :009 > message 
 => "<a href=\"http://www.harmless.com/\" onclick=\"var f = document.createElement('form');f.style.display = 'none';this.parentNode.appendChild(f);f.method = 'POST';f.action = 'http://www.example.com/account/destroy';f.submit();return false;\">To the harmless survey</a>" 
2.2.2 :010 > ActionController::Base.helpers.sanitize(message, tags: %w(a), attributes: %w(href target))
 => "<a href=\"http://www.harmless.com/\">To the harmless survey</a>"

and

2.2.2 :001 > message = "<a href=\"javascript:alert('This is an XSS attack')\">click me</a>"
 => "<a href=\"javascript:alert('This is an XSS attack')\">click me</a>" 
2.2.2 :002 > ActionController::Base.helpers.sanitize(message, tags: %w(a), attributes: %w(href target))
 => "<a>click me</a>"