rhtyd commented on issue #4550: URL: https://github.com/apache/cloudstack/issues/4550#issuecomment-747438339
Yes @weizhouapache but I think the old console also worked like that, if the old console had some auth mechanism that novnc doesn't then we should treat it like a regression, or if the token is not randomised (is static in nature, which I believe it isn't). Otherwise, if you're sharing the token with a colleague (or the full link) then it's not a security issue which would appear same as sharing a password, sessionkey or apikey/secret key. CloudStack would serve the iframe too on https (if ssl cert is enabled) then it's not a MITM security issue as well. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
