yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1597557] [NEW] getting CSRF token missing or incorrect. /api/nova/servers/ when CSRF_COOKIE_HTTPONLY=True

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tracy Jones <tjones@xxxxxxxxxx>
Date: Thu, 30 Jun 2016 00:34:49 -0000
Reply-to: Bug 1597557 <1597557@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Using stable/mitkaka if I set CSRF_COOKIE_HTTPONLY=True in
local_settings.py, when i try to launch an instance i get

Forbidden (CSRF token missing or incorrect.): /api/nova/servers/

If i set it to false (or don't set it) then it works fine.

This is what does not work

# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
# prevent certain client-side attacks, such as cross-site scripting
CSRF_COOKIE_HTTPONLY = True
SESSION_COOKIE_HTTPONLY = True


this is what does work

# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
# prevent certain client-side attacks, such as cross-site scripting
CSRF_COOKIE_HTTPONLY = False
SESSION_COOKIE_HTTPONLY = True

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1597557

Title:
  getting CSRF token missing or incorrect. /api/nova/servers/ when
  CSRF_COOKIE_HTTPONLY=True

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Using stable/mitkaka if I set CSRF_COOKIE_HTTPONLY=True in
  local_settings.py, when i try to launch an instance i get

  Forbidden (CSRF token missing or incorrect.): /api/nova/servers/

  If i set it to false (or don't set it) then it works fine.

  This is what does not work

  # If Horizon is being served through SSL, then uncomment the following two
  # settings to better secure the cookies from security exploits
  CSRF_COOKIE_SECURE = True
  SESSION_COOKIE_SECURE = True
  # prevent certain client-side attacks, such as cross-site scripting
  CSRF_COOKIE_HTTPONLY = True
  SESSION_COOKIE_HTTPONLY = True

  
  this is what does work

  # If Horizon is being served through SSL, then uncomment the following two
  # settings to better secure the cookies from security exploits
  CSRF_COOKIE_SECURE = True
  SESSION_COOKIE_SECURE = True
  # prevent certain client-side attacks, such as cross-site scripting
  CSRF_COOKIE_HTTPONLY = False
  SESSION_COOKIE_HTTPONLY = True

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1597557/+subscriptions

Follow ups

[Bug 1597557] Re: getting CSRF token missing or incorrect. /api/nova/servers/ when CSRF_COOKIE_HTTPONLY=True
From: Radomir Dopieralski, 2019-12-18