diff --git a/defaults/main.yml b/defaults/main.yml index 68095b5d..a6c47f81 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -278,6 +278,12 @@ horizon_show_keystone_v2_rc: True ## alternatively, you can set horizon to turn off ssl verification for Keystone horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}" +## Horizon Cross-Site Request Forgery Trusted Hosts +# add a list of domains that are trusted when evaluated requests for Cross-Site Request Forgery +# This is useful when terminating SSL outside of the cloud on a domain that isn't directly tied +# to the hosts that are operating the cloud. +horizon_ssl_csrf_trusted_origins: [] + ## The role which Horizon should use as a default for users horizon_default_role_name: _member_ diff --git a/releasenotes/notes/horizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml b/releasenotes/notes/horizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml new file mode 100644 index 00000000..138a953b --- /dev/null +++ b/releasenotes/notes/horizon_ssl_csrf_trusted_origins-15643e2b6e6eea3c.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The ability to define trusted Cross-Site Request Forgery domains hsa been + added with the `horizon_ssl_csrf_trusted_origins` variable. The new variable + is a array of strings and when defined will render the django built-in + variable **CSRF_TRUSTED_ORIGINS**. + + https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins diff --git a/templates/horizon_local_settings.py.j2 b/templates/horizon_local_settings.py.j2 index 862a090c..ed8a486e 100644 --- a/templates/horizon_local_settings.py.j2 +++ b/templates/horizon_local_settings.py.j2 @@ -57,6 +57,9 @@ SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR' # If Horizon is being served through SSL, then uncomment the following two # settings to better secure the cookies from security exploits CSRF_COOKIE_SECURE = True +{% if (horizon_ssl_csrf_trusted_origins | length) > 0 %} +CSRF_TRUSTED_ORIGINS = {{ horizon_ssl_csrf_trusted_origins | to_json }} +{% endif %} SESSION_COOKIE_SECURE = True {% else %} # If Horizon is being served through SSL, then uncomment the following two