The VNC Console connection in Nova works by having the user connect to the API which returns a URL such as: https://example.com:443/?token=abc Where the token has a TTL which is then used to create a session from a WebSocket. However, URL's should not contain sensitive information such as session tokens with a TTL since URL's can be leaked through proxy logs or other types of attacks such as Cross-Site Scripting. Additionally, due to the session cookie being set with JavaScript it cannot securely be set to HttpOnly nor is it set with the Secure flag making it further susceptible to Cross-Site Scripting attacks or leakage through a non-SSL connection. To limit the exposure of the token being leaked through the URL the returned token from the API should be of a one-time use and only used as an authentication token in order to obtain a session. The session cookie should be set by a Web Service instead of the client in order to securely set the cookie with the HttpOnly flag to be set in addition to setting the Secure flag.
A possible design to address this without having to change noVNC:
1. Generate the URL as usual.
2. Upon the first use of the URL:
2.1 replace the token within nova to a new token (effectively invalidating the original token)
2.2 Set this new token as a session cookie (secure=True, httponly=True) in the browser
3. Subsequent Authentications (for html and js resources) will use this session cookie
4. Upon switching to websockets, invalidate the session cookie both from the browser and the token from nova.
I don't think if step 4 is a good approach. A better way would be to track the state of the authentication in the server side so that no new auth can be done with this token but leave the existing connection use it as necessary. But this would require more changes.