OpenStack Dashboard (Horizon)

Secure Site Recommendations recommends setting a flag that is already default

Bug #1333407 reported by Matt Fischer on 2014-06-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Low	Clayton O'Neill	OpenStack Dashboard (Horizon) 2014.2 "juno"

Bug Description

See: http://docs.openstack.org/developer/horizon/topics/deployment.html#secure-site-recommendations

The docs recommend setting SESSION_COOKIE_HTTPONLY = True, however this is already the default:

https://github.com/openstack/horizon/blob/master/openstack_dashboard/settings.py#L166

When I tried to add this line to the example config file I was told it's already default and not needed there, since that is the case, the docs need to be fixed.

See discussion in:

https://review.openstack.org/#/c/101259/

<david-lyle> I don't agree with your change, https://github.com/openstack/horizon/blob/master/openstack_dashboard/settings.py#L166 already sets that
<mfisch> so then its a doc bug
<mfisch> see my comment
<mfisch> I'll file a doc bug

Tags:

David Lyle (david-lyle) on 2014-06-24

Changed in horizon:
status:	New → Confirmed
importance:	Undecided → Low

Pawel Skowron (pawel-skowron) on 2014-07-08

Changed in horizon:
assignee:	nobody → Pawel Skowron (pawel-skowron)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-08: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/105458

Changed in horizon:
assignee:	Pawel Skowron (pawel-skowron) → Clayton O'Neill (clayton-oneill)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-17: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/105458
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=0560c7399cd20b8cf8d3258dcca70014ef185283
Submitter: Jenkins
Branch: master

commit 0560c7399cd20b8cf8d3258dcca70014ef185283
Author: Clayton O'Neill <email address hidden>
Date: Tue Jul 8 13:39:41 2014 +0000

Don't recommend setting SESSION_COOKIE_HTTPONLY

This setting is already defaults to true, so there is no need to
recommend that people set this option to prevent cross site scripting.

Closes-Bug: 1333407
Change-Id: If5c8f3cba31f6e613ec17af81cff8d15cd2f8f19

Changed in horizon:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2014-07-23

Changed in horizon:
milestone:	none → juno-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in horizon:
milestone:	juno-2 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.