Amit failed to respond to an important question, if horizon and swift is running on the same domain.
From the screenshot, the image is opened using the Swift Public URL endpoint.
And it seems like Swift is running on the same domain as horizon, allowing the script to access the horizon cookie.
The reported bug is invalid for Horizon.
This is more of a deployment issue.
Horizon already documented configuration how to avoid XSS attack in: https://github.com/openstack/horizon/blob/master/doc/source/topics/deployment.rst
By setting: CSRF_COOKIE_HTTPONLY = True SESSION_COOKIE_HTTPONLY = True
Amit failed to respond to an important question, if horizon and swift is running on the same domain.
From the screenshot, the image is opened using the Swift Public URL endpoint.
And it seems like Swift is running on the same domain as horizon, allowing the script to access the horizon cookie.
The reported bug is invalid for Horizon.
This is more of a deployment issue.
Horizon already documented configuration how to avoid XSS attack in: https:/ /github. com/openstack/ horizon/ blob/master/ doc/source/ topics/ deployment. rst
By setting: HTTPONLY = True COOKIE_ HTTPONLY = True
CSRF_COOKIE_
SESSION_