Comment 78 for bug 1409142

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)

Using the "ssl_only" option sounds good to me, it is documented as 'Disallow non-encrypted connections' and could be used to make sure origin is using an encrypted connections. On the other hand, Tony is right and this may cause surprise...

@Paul if we go with the new option to enforce origin is https for all branch, would it also deter the dns rebinding issue ? And if not, in case we fix it in another patch, would this option be compatible or will it be rewritten to support a whitelist mechanism ? Just making sure we are looking at a long-term solution....