Comment 2 for bug 1440958

It would be neat to generate the redirect URL to horizon instead of reading from the origin parameter, this could be done by just using the HOST name and generate the URL using the template: http://<HOST>/auth/websso/. But I realized this would not always work because Horizon can be configured in different WEBROOT too.

For example: http://<HOST>/<horizon_web_root>/auth/websso/

Too bad for that.

As for using the Referer, I tried printing the Referer from the context and this is what I got:
  'HTTP_REFERER': 'http://localhost:5000/v3/auth/OS-FEDERATION/websso/redirect'

It seems like it doesn't work. I also read that using HTTP_REFERER is not reliable and vulnerable to attacks as well since an malicious user can simple replace this HTTP header.

So.. It looks like what we got is actually the right way to go.

What I could do to loosen the validation is just match the PROTOCOL://HOST_NAME of trusted_dashboard against the value in origin instead of matching the whole string.