openstack/openstack-ansible
Code Issues Proposed changes

haproxy: fix csp for glance image uploads via horizon

Browse Source 
Connections to port 9292 by Horizon were blocked by content
security policy. This patch permits connections to API services
running on the same host as Horizon.

Change-Id: I17d3f079ddbd4f0150c4b01f822818db52083d21
Related-Bug: #1971179
This commit is contained in:
Andrew Bonney 2022-05-17 14:42:56 +01:00
parent 4ac454f594
commit 0feafaf1be
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/group_vars/haproxy/haproxy.yml
View File

@ -42,7 +42,7 @@ haproxy_security_headers_max_age: 31536000
# Set CSP headers to report only for testing
haproxy_security_headers_csp_report_only: False
# To override the CSP used by a specific service define a variable haproxy_<service name>_csp
haproxy_security_headers_csp: "http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; img-src 'self' data:; worker-src blob:;\""
haproxy_security_headers_csp: "http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; connect-src 'self' {{ external_lb_vip_address }}:*; img-src 'self' data:; worker-src blob:;\""
# To disable security headers set to []
haproxy_security_headers:
- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\""

5
releasenotes/notes/csp-image-uploads-0165e6fe76287a0c.yaml Normal file
View File

@ -0,0 +1,5 @@
---
fixes:
- |
Fixes a Content Security Policy error which prevented image uploads via
the Horizon interface.