Expose horizon_disallow_iframe_embed in defaults

In order to expose the variable in documentation, it is defined in defaults and the value is always templated. The default value is set to the same as the upstream default. Change-Id: I3a8785de414a82931b1089f7396b0fbe3b68ae7d
2017-02-10 17:18:44 +00:00 · 2017-02-10 17:18:44 +00:00 · 52626d87d0
commit 52626d87d0
parent ed40de8895
2 changed files with 9 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -113,6 +113,14 @@ horizon_simple_ip_management: True
 # To enable ha router support in horizon set to True
 horizon_enable_ha_router: False

+# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+# Scripting (XFS) vulnerability, so this option allows extra security hardening
+# where iframes are not used in deployment. Default setting is True.
+# For more information see:
+# http://tinyurl.com/anticlickjack
+horizon_disallow_iframe_embed: True
+
 # WSGI tuning parameters
 # horizon_wsgi_processes: 4
 # horizon_wsgi_threads: 4
--- a/templates/horizon_local_settings.py.j2
+++ b/templates/horizon_local_settings.py.j2
@ -725,11 +725,7 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
 # where iframes are not used in deployment. Default setting is True.
 # For more information see:
 # http://tinyurl.com/anticlickjack
-{% if horizon_disallow_iframe_embed is defined %}
-DISALLOW_IFRAME_EMBED = {{ horizon_disallow_iframe_embed }}
-{% else %}
-#DISALLOW_IFRAME_EMBED = True
-{% endif %}
+DISALLOW_IFRAME_EMBED = {{ horizon_disallow_iframe_embed | bool }}

 # The default date range in the Overview panel meters - either <today> minus N
 # days (if the value is integer N), or from the beginning of the current month