Implement "CSRF_COOKIE_HTTPONLY" option support in horizon

The HTTP only flag protects the session cookies from cross-site scripting. Change-Id: Iec07b3b447051726ce218e5f31c8bf583731a90c
2021-04-06 16:48:31 +00:00 · 2021-04-06 16:48:31 +00:00 · 64cf176bef
commit 64cf176bef
parent 34c3cd4adf
4 changed files with 5 additions and 1 deletions
--- a/horizon/Chart.yaml
+++ b/horizon/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Horizon
 name: horizon
-version: 0.1.7
+version: 0.1.8
 home: https://docs.openstack.org/horizon/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png
 sources:
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -188,6 +188,7 @@ conf:
        keystone_default_domain: Default
        disable_password_reveal: "True"
        csrf_cookie_secure: "False"
+        csrf_cookie_httponly: "False"
        enforce_password_check: "True"
        # Set enable_pwd_validator to true to enforce password validator settings.
        enable_pwd_validator: false
@ -275,6 +276,7 @@ conf:
        # settings to better secure the cookies from security exploits
        USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
        CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
+        CSRF_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_httponly }}
        SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}

        SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
--- a/horizon/values_overrides/tls.yaml
+++ b/horizon/values_overrides/tls.yaml
@ -73,6 +73,7 @@ conf:
      config:
        use_ssl: "True"
        csrf_cookie_secure: "True"
+        csrf_cookie_httponly: "True"
        enforce_password_check: "True"
        session_cookie_secure: "True"
        session_cookie_httponly: "True"
--- a/releasenotes/notes/horizon.yaml
+++ b/releasenotes/notes/horizon.yaml
@ -8,4 +8,5 @@ horizon:
  - 0.1.5 Revert - Change Issuer to ClusterIssuer
  - 0.1.6 Change Issuer to ClusterIssuer
  - 0.1.7 Update glance default policy values
+  - 0.1.8 Implement "CSRF_COOKIE_HTTPONLY" option support in horizon
 ...