Comment 7 for bug 1447679

Revision history for this message
Solly Ross (sross-7) wrote :

Well, another option would be to submit tokens through POST or through a header instead of as query parameters in a GET request. The downside of this would be that users could not simply paste the results of get-vnc-console into their browser -- the API would only work through Horizon, or similar services that could make POST requests and adjust headers (for example, you could send normal keystone headers and authenticate based on those in websockify).

When Horizon is run in Apache, you could also place websockify behind an Apache proxy pass, so that browsers send cookie information along to websockify from Horizon. It would also be possible to host the actual noVNC source files as part of Horizon (since they are just CSS, JS, and HTML), and just proxy the websocket connection. Then, you could authenticate using data from the cookie. Similarly to the above option, an issue would be that a user could not simply paste the results of get-vnc-console into their browser -- it would *only* work through Horizon, or something else that could send the appropriate cookie data.