Amit failed to respond to an important question, if horizon and swift is running on the same domain.
>From the screenshot, the image is opened using the Swift Public URL endpoint. And it seems like Swift is running on the same domain as horizon, allowing the script to access the horizon cookie. The reported bug is invalid for Horizon. This is more of a deployment issue. Horizon already documented configuration how to avoid XSS attack in: https://github.com/openstack/horizon/blob/master/doc/source/topics/deployment.rst By setting: CSRF_COOKIE_HTTPONLY = True SESSION_COOKIE_HTTPONLY = True ** Changed in: horizon Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1463698 Title: XSS Status in OpenStack Dashboard (Horizon): Invalid Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Object Storage (swift): Invalid Bug description: 2.14.2 To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1463698/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
