Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 1e11997)
Manage disallow_iframe_embed
authorLuke Hinds <lhinds@redhat.com>
Fri, 9 Dec 2016 11:41:19 +0000 (11:41 +0000)
committerLuke Hinds <lhinds@redhat.com>
Tue, 13 Dec 2016 06:52:43 +0000 (06:52 +0000)
disallow_iframe_embed can be used to prevent Horizon from being
embedded within an iframe. Legacy browsers are still vulnerable
to a Cross-Frame Scripting (XFS) vulnerability, so this option
allows extra security hardening where iframes are not used in
deployment

Change-Id: I2fe6b243250608b340ee555062060dbdad1a49c4
Depends-On: I5c540e552efe738bdec8598f9257fa22ae651a76
Closes-Bug: #1641882

puppet/services/horizon.yaml patch | blob | history

diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 8eaf404..3cdd069 100644 (file)
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -60,6 +60,7 @@ outputs:
                 - 443
           horizon::disable_password_reveal: true
           horizon::enforce_password_check: true
+          horizon::disallow_iframe_embed: true
           horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
           horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
           horizon::vhost_extra_params: