Secure Site Recommendations recommends setting a flag that is already default

Bug #1333407 reported by Matt Fischer
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Low
Clayton O'Neill

Bug Description

See: http://docs.openstack.org/developer/horizon/topics/deployment.html#secure-site-recommendations

The docs recommend setting SESSION_COOKIE_HTTPONLY = True, however this is already the default:

https://github.com/openstack/horizon/blob/master/openstack_dashboard/settings.py#L166

When I tried to add this line to the example config file I was told it's already default and not needed there, since that is the case, the docs need to be fixed.

See discussion in:

https://review.openstack.org/#/c/101259/

 <david-lyle> I don't agree with your change, https://github.com/openstack/horizon/blob/master/openstack_dashboard/settings.py#L166 already sets that
 <mfisch> so then its a doc bug
 <mfisch> see my comment
 <mfisch> I'll file a doc bug

David Lyle (david-lyle)
Changed in horizon:
status: New → Confirmed
importance: Undecided → Low
Changed in horizon:
assignee: nobody → Pawel Skowron (pawel-skowron)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/105458

Changed in horizon:
assignee: Pawel Skowron (pawel-skowron) → Clayton O'Neill (clayton-oneill)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/105458
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=0560c7399cd20b8cf8d3258dcca70014ef185283
Submitter: Jenkins
Branch: master

commit 0560c7399cd20b8cf8d3258dcca70014ef185283
Author: Clayton O'Neill <email address hidden>
Date: Tue Jul 8 13:39:41 2014 +0000

    Don't recommend setting SESSION_COOKIE_HTTPONLY

    This setting is already defaults to true, so there is no need to
    recommend that people set this option to prevent cross site scripting.

    Closes-Bug: 1333407
    Change-Id: If5c8f3cba31f6e613ec17af81cff8d15cd2f8f19

Changed in horizon:
status: In Progress → Fix Committed
Changed in horizon:
milestone: none → juno-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.