yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1819423] Re: Horizon does not support CSRF_COOKIE_HTTPONLY option

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1819423@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Mar 2019 17:22:09 -0000
Reply-to: Bug 1819423 <1819423@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/642397
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=e37a508636f78a08cc750dccd9a9e85141c492c8
Submitter: Zuul
Branch:    master

commit e37a508636f78a08cc750dccd9a9e85141c492c8
Author: vmarkov <vmarkov@xxxxxxxxxxxx>
Date:   Wed Mar 6 16:57:09 2019 +0200

    Implement CSRF_COOKIE_HTTPONLY option support
    
    Proposed patch allows passing of CSRF token as hidden input in template.
    Without it, turning on of CSRF_COOKIE_HTTPONLY severely degrades Horizon
    functionality.
    
    Change-Id: I1b1db496c31e6c64d0c205189e845c2cc0c09184
    Closes-bug: #1819423


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1819423

Title:
  Horizon does not support CSRF_COOKIE_HTTPONLY option

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  Steps to reproduce:
  Deploy Openstack, Devstack Pike is enough 

  add following option into /etc/openstack-dashboard/local_settings.py :

  CSRF_COOKIE_HTTPONLY = True

  Restart Apache

  Expected result:

  Horizon works

  Actual result:
  Several issues appear in Horizon. Request to /api/policy returns 403, and "Policy check failed" warning displayed. At least "Launch instance" and "Create image" dashboards are affected

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1819423/+subscriptions

References

[Bug 1819423] [NEW] Horizon does not support CSRF_COOKIE_HTTPONLY option
From: Vadym Markov, 2019-03-11