Widget actions: Add a HTTP action to perform HTTP requests

[florian-h05]

This allows to perform HTTP requests from inside widget actions.
The use case might be limited, but for example this can be used to allow access to local only ressources/smart devices that should not be made available via remote access and hence cannot be integrated as Items into openHAB for security purpose.

[relativeci]

#2189 Bundle Size — 10.82MiB (~+0.01%).

4f7e22f(current) vs f745fa9 main#2188(baseline)

Warning

Bundle contains 2 duplicate packages – View duplicate packages

Bundle metrics   2 changes 1 regression

	Current #2189	Baseline #2188
Initial JS	1.89MiB(+0.04%)	1.89MiB
Initial CSS	576.5KiB	576.5KiB
Cache Invalidation	17.42%	17.81%
Chunks	226	226
Assets	249	249
Modules	2914	2914
Duplicate Modules	149	149
Duplicate Code	1.8%	1.8%
Packages	96	96
Duplicate Packages	2	2

Bundle size by type   1 change 1 regression

	Current #2189	Baseline #2188
JS	9.04MiB (~+0.01%)	9.04MiB
CSS	862.88KiB	862.88KiB
Fonts	526.1KiB	526.1KiB
Media	295.6KiB	295.6KiB
IMG	140.74KiB	140.74KiB
HTML	1.24KiB	1.24KiB
Other	871B	871B

Bundle analysis report Branch florian-h05:action-http Project dashboard

---

^{Generated by RelativeCI Documentation Report issue}

[florian-h05]

@ghys Thanks for your feedback.
WRT to CSP: I see that Main UI already has a CSP, do you think we can adjust it in a way that a user cannot load scripts from external servers?

[florian-h05]

Okay we can use CSP to limit to which domains a request can be sent by this action.
Should we limit that and advise users that want to use this action to overwrite our CSP by setting the header on a reverse proxy?

[florian-h05]

Okay this seems to be very restrictive and not super user-friendly ...

[ghys]

I totally forgot there was already a CSP...

I wonder if we could have a configurable whitelist of allowed domains that would alter the CSP - maybe by generating the index.html dynamically.
Ideally it would not be configurable remotely, like the whitelist of the exec binding.

[florian-h05]

maybe by generating the index.html dynamically.

I think it is actually easier than that:
We can set the CSP as a header (and keep the one in the index.html as fallback — the header is prioritised over the meta tag) in the UI’s servlet, where we of course can do this programmatically.

However we need to figure out how to provide the list of allowed domains in a file-only config … it should help to have a look at the code of the exec binding (https://github.com/openhab/openhab-addons/blob/e62f3af4c7173145f6f2742e3a88631f5c5fdbb8/bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/ExecWhitelistWatchService.java#L41).

[ghys]

We can set the CSP as a header

Ah yes indeed... so maybe via a derived servlet to serve that index page (and the rest, possibly) - or equivalent.