From 64cf176bef8317e295a6278308ac4e4f469cceaa Mon Sep 17 00:00:00 2001
From: Gayathri Devi Kathiri <kathirigayathri48@gmail.com>
Date: Tue, 6 Apr 2021 16:48:31 +0000
Subject: [PATCH] Implement "CSRF_COOKIE_HTTPONLY" option support in horizon

The HTTP only flag protects the session cookies from
cross-site scripting.

Change-Id: Iec07b3b447051726ce218e5f31c8bf583731a90c
---
 horizon/Chart.yaml                | 2 +-
 horizon/values.yaml               | 2 ++
 horizon/values_overrides/tls.yaml | 1 +
 releasenotes/notes/horizon.yaml   | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/horizon/Chart.yaml b/horizon/Chart.yaml
index 3c028fc485..de39c74c3b 100644
--- a/horizon/Chart.yaml
+++ b/horizon/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Horizon
 name: horizon
-version: 0.1.7
+version: 0.1.8
 home: https://docs.openstack.org/horizon/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png
 sources:
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 7c53ec1045..703405c5aa 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -188,6 +188,7 @@ conf:
         keystone_default_domain: Default
         disable_password_reveal: "True"
         csrf_cookie_secure: "False"
+        csrf_cookie_httponly: "False"
         enforce_password_check: "True"
         # Set enable_pwd_validator to true to enforce password validator settings.
         enable_pwd_validator: false
@@ -275,6 +276,7 @@ conf:
         # settings to better secure the cookies from security exploits
         USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
         CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
+        CSRF_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_httponly }}
         SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
 
         SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
diff --git a/horizon/values_overrides/tls.yaml b/horizon/values_overrides/tls.yaml
index 562962d20a..c273dcc638 100644
--- a/horizon/values_overrides/tls.yaml
+++ b/horizon/values_overrides/tls.yaml
@@ -73,6 +73,7 @@ conf:
       config:
         use_ssl: "True"
         csrf_cookie_secure: "True"
+        csrf_cookie_httponly: "True"
         enforce_password_check: "True"
         session_cookie_secure: "True"
         session_cookie_httponly: "True"
diff --git a/releasenotes/notes/horizon.yaml b/releasenotes/notes/horizon.yaml
index 3b72fcc8b5..cf839eba14 100644
--- a/releasenotes/notes/horizon.yaml
+++ b/releasenotes/notes/horizon.yaml
@@ -8,4 +8,5 @@ horizon:
   - 0.1.5 Revert - Change Issuer to ClusterIssuer
   - 0.1.6 Change Issuer to ClusterIssuer
   - 0.1.7 Update glance default policy values
+  - 0.1.8 Implement "CSRF_COOKIE_HTTPONLY" option support in horizon
 ...