@@ -96,10 +96,16 @@ the request is denied and the error is surfaced to the client. Plugins should al
9696cannot confidently evaluate a request, it should return an error or ` Allow: false ` .
9797
9898> [ !WARNING]
99- > The plugin receives the [ ** raw** request body] ( #authzpluginauthzreq ) from the daemon, so the
100- > plugin must apply the same decoding semantics to ensure it is correctly evaluating
101- > the request. The daemon decodes JSON ** case-insensitively** , ** last-one-wins** ,
102- > and does not reject duplicate or case-variant keys.
99+ > Because the plugin receives the [ ** raw** request body] ( #authzpluginauthzreq ) from the daemon, it must
100+ > apply the same decoding semantics as the daemon to be sure it evaluates the request the daemon will
101+ > act on. The daemon decodes JSON with Go's [ ` encoding/json.Unmarshal ` ] ( https://pkg.go.dev/encoding/json#Unmarshal ) .
102+ >
103+ > The same requirement applies to the response body. Plugins that depend on ` ResponseBody `
104+ > inspection for redaction or content-filtering should restrict their policies to endpoints
105+ > whose response is produced as a single write (typical of REST-style API responses). For
106+ > commands whose responses are streamed or are likely to exceed the [ buffer] ( #response-body-size-and-partial-buffering ) through multiple
107+ > writes, do not rely on ` ResponseBody ` for security-relevant decisions; perform the filtering
108+ > in a separate layer in front of the daemon.
103109
104110### Response body size and partial buffering
105111
@@ -117,15 +123,6 @@ is the practical effect of this 64 KiB threshold combined with the
117123is immediately drained to the client and is therefore no longer available
118124for plugin inspection by the time the handler returns.
119125
120- > [ !NOTE]
121- > Plugins that depend on ` ResponseBody ` inspection for redaction or
122- > content-filtering should restrict their policies to endpoints whose
123- > response is produced as a single write (typical of REST-style API
124- > responses). For commands whose responses are streamed or are likely to
125- > exceed the buffer through multiple writes, do not rely on ` ResponseBody `
126- > for security-relevant decisions; perform the filtering in a separate
127- > layer in front of the daemon.
128-
129126During request/response processing, some authorization flows might
130127need to do additional queries to the Docker daemon. To complete such flows,
131128plugins can call the daemon API similar to a regular user. To enable these
0 commit comments