Permalink
Browse files

Manage disallow_iframe_embed with puppet manifest

DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
Scripting (XFS) vulnerability, so this option allows extra security hardening
where iframes are not used in deployment

Change-Id: I5c540e552efe738bdec8598f9257fa22ae651a76
Related-Bug: #1641882
  • Loading branch information...
lukehinds committed Dec 9, 2016
1 parent d454208 commit 218c35ea7bc08dd88d936ab79b14e5ce2b94ea44
View
@@ -299,6 +299,12 @@
# recommended if you're running horizon behind a proxy.
# Defaults to false
#
# [*disallow_iframe_embed*]
# (optional)DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
# Scripting (XFS) vulnerability, so this option allows extra security hardening
# where iframes are not used in deployment. Default setting is True.
#
# === DEPRECATED group/name
#
# [*fqdn*]
@@ -398,6 +404,7 @@
$disable_password_reveal = false,
$enforce_password_check = false,
$enable_secure_proxy_ssl_header = false,
$disallow_iframe_embed = true,
# DEPRECATED PARAMETERS
$custom_theme_path = undef,
$fqdn = undef,
@@ -0,0 +1,5 @@
---
features:
- Making DISALLOW_IFRAME_EMBED in local_settings.py a configurable value
DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
within an iframe
@@ -442,6 +442,20 @@
])
end
end
context 'with disallow iframe embed enabled' do
before do
params.merge!({
:disallow_iframe_embed => true
})
end
it 'disallow_iframe_embed is configured' do
verify_concat_fragment_contents(catalogue, 'local_settings.py', [
'HORIZON_CONFIG["disallow_iframe_embed"] = True',
])
end
end
end
shared_examples_for 'horizon on RedHat' do
@@ -968,3 +968,7 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
# For more information see:
# http://tinyurl.com/anticlickjack
#DISALLOW_IFRAME_EMBED = True
<% if @disallow_iframe_embed == true %>
HORIZON_CONFIG["disallow_iframe_embed"] = True
<% end %>

0 comments on commit 218c35e

Please sign in to comment.