yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1431458] Re: Incorrect link/terminology on Deploying Horizon page

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andreas Jaeger <1431458@xxxxxxxxxxxxxxxxxx>
Date: Sat, 11 Apr 2015 13:11:00 -0000
Reply-to: Bug 1431458 <1431458@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: horizon
   Importance: Undecided
       Status: New

** No longer affects: openstack-manuals

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1431458

Title:
  Incorrect link/terminology on Deploying Horizon page

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  On this page:
  https://github.com/openstack/horizon/blob/master/doc/source/topics/deployment.rst
  , towards the bottom in "Secure Site Recommendations", the text says
  "To help protect the session cookies from cross-site scripting add the
  following" and then proceeds to document settings which set the
  cookies to "secure".

  Preventing from cross-site scripting is done by another cookie
  setting, HttpOnly.  The link in this text also refers to OWASP
  HttpOnly.

  Ideally sensitive cookies like sessionid and csrf tokens will be
  protected by both settings.  In any case these two cookie options
  should be mentioned separately as they are both important and serve
  different purposes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1431458/+subscriptions