Ok. Thanks for taking a look.
Kevin
From: David Stanek [dsta...@dstanek.com]
Sent: Wednesday, July 06, 2016 5:36 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [security] [horizon] Security implications of
By caching, do you mean not persisting it in local storage or a cookie? Would
it be okay to store in a variable in browser memory for the duration of the
session to be used with subsequent API requests?
Thanks,
Travis
On 7/6/16, 6:36 PM, "David Stanek" wrote:
On 07/01 at 19:41, Fox, Kevin M
On 07/01 at 19:41, Fox, Kevin M wrote:
> Hi David,
>
> How do you feel about the approach here:
> https://review.openstack.org/#/c/311189/
>
> Its lets the existing angular js module:
> horizon.app.core.openstack-service-api.keystone
>
> access the current token via getCurrentUserSession().token
From: David Stanek [dsta...@dstanek.com]
Sent: Friday, July 01, 2016 11:17 AM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [security] [horizon] Security implications of
exposing a keystone token to a JS client
On 06/29 at 21:10, Timur Sufiev wrote:
> Hello, vigilant folks
On 06/29 at 21:10, Timur Sufiev wrote:
> Hello, vigilant folks of OpenStack Security team!
>
> The commit(s) I'd like you to take a look at introduces a new Horizon
> feature, Create (Glance) Image using CORS (AKA Cross-Origin Resource
> Sharing) [1].
>
> The main idea is to bypass Horizon web-se
I am not sure if this is a valid concern. If I am using a CLI and someone gets access to my computer, they can do whatever they well please. If I am using Horizon and someone gets access, its going to be the same story, they can still do damage even without knowing the token (at least until the web
Ah. I was going to bring this up eventually but hadn't gotten to it yet.
I started up a patch for adding similar support for horizon here:
https://review.openstack.org/#/c/311189/
My intention is to use it to make a Horizon Plugin to speak to a Keystone
authenticated Kubernetes api directly.
Th