yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #35261
[Bug 1474079] [NEW] Cross-site web socket connections fail on Origin and Host header mismatch
Public bug reported:
The Kilo web socket proxy implementation for Nova consoles added an
Origin header validation to ensure the Origin hostname matches the
hostname from the Host header. This was a result of the following XSS
security bug: https://bugs.launchpad.net/nova/+bug/1409142
(CVE-2015-0259)
In other words, this requires that the web UI being used (Horizon, or
whatever) having a URL hostname which is the same as the hostname by
which the console proxy is accessed. This is a safe assumption for
Horizon. However, we have a use case where our (custom) UI runs at a
different URL than does the console proxies, and thus we need to allow
cross-site web socket connections. The patch for 1409142
(https://github.secureserver.net/cloudplatform/els-
nova/commit/fdb73a2d445971c6158a80692c6f74094fd4193a) breaks this
functionality for us.
Would like to have some way to enable controlled XSS web socket
connections to the console proxy services, maybe via a nova config
parameter providing a list of allowed origin hosts?
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1474079
Title:
Cross-site web socket connections fail on Origin and Host header
mismatch
Status in OpenStack Compute (nova):
New
Bug description:
The Kilo web socket proxy implementation for Nova consoles added an
Origin header validation to ensure the Origin hostname matches the
hostname from the Host header. This was a result of the following XSS
security bug: https://bugs.launchpad.net/nova/+bug/1409142
(CVE-2015-0259)
In other words, this requires that the web UI being used (Horizon, or
whatever) having a URL hostname which is the same as the hostname by
which the console proxy is accessed. This is a safe assumption for
Horizon. However, we have a use case where our (custom) UI runs at a
different URL than does the console proxies, and thus we need to allow
cross-site web socket connections. The patch for 1409142
(https://github.secureserver.net/cloudplatform/els-
nova/commit/fdb73a2d445971c6158a80692c6f74094fd4193a) breaks this
functionality for us.
Would like to have some way to enable controlled XSS web socket
connections to the console proxy services, maybe via a nova config
parameter providing a list of allowed origin hosts?
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1474079/+subscriptions
Follow ups