Can't launch instances / Forbidden (CSRF token missing or incorrect.): /api/policy/
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Fix Released
|
High
|
Alex Kavanagh |
Bug Description
Cloud: bionic-queens
I use the horizon dashboard over https with ssl-cert and without any problemes before.
After I made a charm-upgrade to revision 294 I can't launch instances in the horizon dashboard anymore.
I found some errors in the apache logfile:
DEBUG:urllib3.
Forbidden (CSRF token missing or incorrect.): /api/policy/
DEBUG:urllib3.
Forbidden (CSRF token missing or incorrect.): /api/policy/
I tested this with revision 295 and there is still this problem.
I can launch instances via the CLI without problems, that's why I think it's just a horizon problem.
If I downgrade back to revision 293, the issue is gone.
(juju upgrade-charm openstack-dashboard --revision 293)
description: | updated |
description: | updated |
Changed in charm-openstack-dashboard: | |
milestone: | none → 20.01 |
Changed in charm-openstack-dashboard: | |
status: | Fix Committed → Fix Released |
Hi
I'm wondering if this is related to this fix:
commit 101098a1c2c1d7e 30f5d4406e59907 4dee5d3ce7
Author: Sahid Orentino Ferdjaoui <email address hidden>
Date: Tue Apr 2 12:14:23 2019 +0200
apache2: add secure flag header when enforce_ssl
The Secure attribute tells the browser to only send the cookie if the
request is being sent over a secure channel such as HTTPS. This will
help protect the cookie from being passed over unencrypted requests.
Change-Id: I1ded951d79ad9f a832d1e88f656a1 e064b1ef007
Closes-bug: #1822751
Signed-off-by: Sahid Orentino Ferdjaoui <email address hidden>
diff --git a/templates/ default- ssl b/templates/ default- ssl default- ssl default- ssl cateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }} Transport- Security "max-age={{ hsts_max_ age_seconds }}" Type-Options "nosniff"
index c6caf22..1b42cf5 100644
--- a/templates/
+++ b/templates/
@@ -44,6 +44,7 @@ NameVirtualHost *:{{ 443 }}
SSLCertifi
{% if enforce_ssl %}
Header set Strict-
+ Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
{% endif %}
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-
(related bug: https:/ /bugs.launchpad .net/charm- openstack- dashboard/ +bug/1822751)
I ask due to this issue (https:/ /github. com/opensourcep os/opensourcepo s/issues/ 1492) which talks about a similar thing happening. As openstack-dashboard uses Angular it could be related to the CSRF token not being readable by the JS in the app?