OpenStack Dashboard (Horizon)

Incorrect link/terminology on Deploying Horizon page

Bug #1431458 reported by Travis McPeak on 2015-03-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Wishlist	Balaji Narayanan	OpenStack Dashboard (Horizon) 8.0.0 "liberty"

Bug Description

On this page: https://github.com/openstack/horizon/blob/master/doc/source/topics/deployment.rst , towards the bottom in "Secure Site Recommendations", the text says "To help protect the session cookies from cross-site scripting add the following" and then proceeds to document settings which set the cookies to "secure".

Preventing from cross-site scripting is done by another cookie setting, HttpOnly. The link in this text also refers to OWASP HttpOnly.

Ideally sensitive cookies like sessionid and csrf tokens will be protected by both settings. In any case these two cookie options should be mentioned separately as they are both important and serve different purposes.

Tags:

Andreas Jaeger (jaegerandi) on 2015-04-11

no longer affects:

openstack-manuals

Balaji Narayanan (lists-balajin) on 2015-08-13

Changed in horizon:
assignee:	nobody → Balaji Narayanan (lists-balajin)

Revision history for this message

Balaji Narayanan (lists-balajin) wrote on 2015-08-13:

https://review.openstack.org/#/c/212326/1

Changed in horizon:
status:	New → In Progress

Lin Hua Cheng (lin-hua-cheng) on 2015-08-13

Changed in horizon:
importance:	Undecided → Wishlist
tags:	added: low-hanging-fruit
Changed in horizon:
milestone:	none → liberty-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-13: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/212326
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=62a9d4320f0eb386467bca2908bcb81ce32d9472
Submitter: Jenkins
Branch: master

commit 62a9d4320f0eb386467bca2908bcb81ce32d9472
Author: Balaji Narayanan <email address hidden>
Date: Thu Aug 13 05:03:09 2015 +0000

Fix XSS settings in Deployment Documentation

    Deployment document referenced the HTTPOnly setting but was pointing to
    Secure Cookies. Updated the document to reflect both HTTPOnly and Secure
    Cookie settings.

Closes-Bug: #1431458

Change-Id: I9117753e4295116184ecae22729db6d0ae629cf8

Changed in horizon:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-03

Changed in horizon:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in horizon:
milestone:	liberty-3 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.