yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1463698] Re: XSS

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lin Hua Cheng <1463698@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Sep 2015 23:59:08 -0000
Reply-to: Bug 1463698 <1463698@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Amit failed to respond to an important question, if horizon and swift is
running on the same domain.

>From the screenshot, the image is opened using the Swift Public URL
endpoint.

And it seems like Swift  is running on the same domain as horizon,
allowing the script to access the horizon cookie.

The reported bug is invalid for Horizon.

This is more of a deployment issue.

Horizon already documented configuration how to avoid XSS attack in:
https://github.com/openstack/horizon/blob/master/doc/source/topics/deployment.rst

By setting:
CSRF_COOKIE_HTTPONLY = True
SESSION_COOKIE_HTTPONLY = True


** Changed in: horizon
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1463698

Title:
  XSS

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Object Storage (swift):
  Invalid

Bug description:
  2.14.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1463698/+subscriptions