Manage disallow_iframe_embed with puppet manifest
DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded within an iframe. Legacy browsers are still vulnerable to a Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security hardening where iframes are not used in deployment Change-Id: I5c540e552efe738bdec8598f9257fa22ae651a76 Related-Bug: #1641882
This commit is contained in:
parent
d454208d7e
commit
218c35ea7b
@ -299,6 +299,12 @@
|
||||
# recommended if you're running horizon behind a proxy.
|
||||
# Defaults to false
|
||||
#
|
||||
# [*disallow_iframe_embed*]
|
||||
# (optional)DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
|
||||
# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
|
||||
# Scripting (XFS) vulnerability, so this option allows extra security hardening
|
||||
# where iframes are not used in deployment. Default setting is True.
|
||||
#
|
||||
# === DEPRECATED group/name
|
||||
#
|
||||
# [*fqdn*]
|
||||
@ -398,6 +404,7 @@ class horizon(
|
||||
$disable_password_reveal = false,
|
||||
$enforce_password_check = false,
|
||||
$enable_secure_proxy_ssl_header = false,
|
||||
$disallow_iframe_embed = true,
|
||||
# DEPRECATED PARAMETERS
|
||||
$custom_theme_path = undef,
|
||||
$fqdn = undef,
|
||||
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- Making DISALLOW_IFRAME_EMBED in local_settings.py a configurable value
|
||||
DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
|
||||
within an iframe
|
@ -442,6 +442,20 @@ describe 'horizon' do
|
||||
])
|
||||
end
|
||||
end
|
||||
|
||||
context 'with disallow iframe embed enabled' do
|
||||
before do
|
||||
params.merge!({
|
||||
:disallow_iframe_embed => true
|
||||
})
|
||||
end
|
||||
|
||||
it 'disallow_iframe_embed is configured' do
|
||||
verify_concat_fragment_contents(catalogue, 'local_settings.py', [
|
||||
'HORIZON_CONFIG["disallow_iframe_embed"] = True',
|
||||
])
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
shared_examples_for 'horizon on RedHat' do
|
||||
|
@ -968,3 +968,7 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
|
||||
# For more information see:
|
||||
# http://tinyurl.com/anticlickjack
|
||||
#DISALLOW_IFRAME_EMBED = True
|
||||
<% if @disallow_iframe_embed == true %>
|
||||
HORIZON_CONFIG["disallow_iframe_embed"] = True
|
||||
<% end %>
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user