tripleo

Implement Horizon disallow_iframe_embed

Bug #1641882 reported by Luke Hinds on 2016-11-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Luke Hinds	tripleo ocata-3 "ocata-3"

Bug Description

DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded within an iframe. Legacy browsers are still vulnerable to a Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security hardening where iframes are not used in deployment.

Default setting is True.

For more information see:

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script

File: /etc/openstack-dashboard/local_settings

Key / Value entry:

disallow_iframe_embed = True

Tags:

Luke Hinds (lhinds) on 2016-11-15

Changed in tripleo:
status:	New → Triaged
importance:	Undecided → Medium

Luke Hinds (lhinds) on 2016-12-09

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-09: Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/409109

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-23: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/409109
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=0146b6be0d2f1710c7884a39fd60a2124394fc56
Submitter: Jenkins
Branch: master

commit 0146b6be0d2f1710c7884a39fd60a2124394fc56
Author: Luke Hinds <email address hidden>
Date: Fri Dec 9 11:41:19 2016 +0000

Manage disallow_iframe_embed

    disallow_iframe_embed can be used to prevent Horizon from being
    embedded within an iframe. Legacy browsers are still vulnerable
    to a Cross-Frame Scripting (XFS) vulnerability, so this option
    allows extra security hardening where iframes are not used in
    deployment

    Change-Id: I2fe6b243250608b340ee555062060dbdad1a49c4
    Depends-On: I5c540e552efe738bdec8598f9257fa22ae651a76
    Closes-Bug: #1641882

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-16: Fix included in openstack/tripleo-heat-templates 6.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 6.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.