openstack
/
charm-openstack-dashboard
Code Issues Proposed changes

Remove Set-Cookie .... HttpOnly;secure to allow CSRF access 

Angular (running in the page) can't access the CSRF token if the cookie
is set to secure.  This is a temporary patch to resolve the issue whilst
a more permanent fix is found.

This reverts patch I1ded951d79ad9fa832d1e88f656a1e064b1ef007
(essentially).


Change-Id: Ied9d0f5486c260a17da9375ec6347d0952154225
Related-Bug: #1822751
Closes-Bug: #1853173
This commit is contained in:
Alex Kavanagh 2019-11-25 13:05:40 +00:00 committed by Alex Kavanagh (tinwood)
parent 3c1daae756
commit 2ac72c39b4
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
templates/default-ssl
View File

@ -44,7 +44,8 @@ NameVirtualHost *:{{ 443 }}
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
{% if enforce_ssl %}
Header set Strict-Transport-Security "max-age={{ hsts_max_age_seconds }}"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# NOTE(ajkavanagh) due to Bug 1853173 the cookie can't be secure at this time, so disabling until a fix is found.
# Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
{% endif %}
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"