Comment 28 for bug 1463698
Revision history for this message
| Lin Hua Cheng (lin-hua-cheng) wrote | #28 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Amit failed to respond to an important question, if horizon and swift is running on the same domain.
From the screenshot, the image is opened using the Swift Public URL endpoint.
And it seems like Swift is running on the same domain as horizon, allowing the script to access the horizon cookie.
The reported bug is invalid for Horizon.
This is more of a deployment issue.
Horizon already documented configuration how to avoid XSS attack in: https:/
By setting:
CSRF_COOKIE_
SESSION_