Comment 40 for bug 1409142
Revision history for this message
| Paul McMillan (paul-mcmillan) wrote Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | #40 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
To the best of my knowledge, Nova does not currently have the necessary information to make a correct decision about this.
I would strongly recommend that we take the same approach Django has, and add support for specifying a header which tells nova whether the request is secure or not. I wouldn't object to also supporting a setting which just flat out toggled HTTPS mode on or off, since that may be easier for many people to deploy without reconfiguring their load balancers and proxies.
In either case, the new settings should have sane defaults which don't break people's installations if they don't configure them.