Default setting should be secure

Bug #1420863 reported by Brant Knudson on 2015-02-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack + Chef
High
Mark Vanderwiel
OpenStack Dashboard (Horizon)
High
Brant Knudson

Bug Description

Horizon has some instructions for setting it up in a secure way[1]. These settings should be the default.

[1] http://docs.openstack.org/developer/horizon/topics/deployment.html#secure-site-recommendations

Changed in horizon:
assignee: nobody → Brant Knudson (blk-u)
status: New → In Progress
tags: added: dashboard
Changed in openstack-chef:
assignee: nobody → Mark Vanderwiel (vanderwl)
importance: Undecided → High
milestone: none → juno-rc1

Fix proposed to branch: master
Review: https://review.openstack.org/154976

Changed in openstack-chef:
status: New → In Progress

Reviewed: https://review.openstack.org/154943
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=7bd87acdd07f0718e32221525ff54a188f8cecb8
Submitter: Jenkins
Branch: master

commit 7bd87acdd07f0718e32221525ff54a188f8cecb8
Author: Brant Knudson <email address hidden>
Date: Wed Feb 11 10:38:58 2015 -0600

    Set the password_autocomplete default to "off"

    It's safer to set the autocomplete option to "off" for passwords
    so that browsers get the hint to not save it. The default should
    be secure so that deployers need to make a conscious decision to
    be less-secure.

    This is for security hardening.

    SecurityImpact

    Closes-Bug: 1420863

    Change-Id: If2c3439cf23b11dd7829a4d7866d3b21409a7d69

Changed in horizon:
status: In Progress → Fix Committed
Akihiro Motoki (amotoki) on 2015-02-15
Changed in horizon:
importance: Undecided → High
milestone: none → kilo-3

Reviewed: https://review.openstack.org/154976
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-dashboard/commit/?id=9eed38ca508e3fb6cdb4390cf504ae211bc9a665
Submitter: Jenkins
Branch: master

commit 9eed38ca508e3fb6cdb4390cf504ae211bc9a665
Author: Mark Vanderwiel <email address hidden>
Date: Wed Feb 11 11:47:09 2015 -0600

    Change the default for password_autocomplete to off

    For better default security, change the default to off
    for password autocomplete. Base openstack horizon is also
    making this change soon.

    Change-Id: Ie46dd5b5e5d65dd4bfa298a4c2d571cf13b94812
    Closes-Bug: #1420863

Changed in openstack-chef:
status: In Progress → Fix Released
Thierry Carrez (ttx) on 2015-03-19
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in horizon:
milestone: kilo-3 → 2015.1.0
Changed in openstack-chef:
milestone: none → kilo-rc1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers