From 0146b6be0d2f1710c7884a39fd60a2124394fc56 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Fri, 9 Dec 2016 11:41:19 +0000 Subject: Manage disallow_iframe_embed disallow_iframe_embed can be used to prevent Horizon from being embedded within an iframe. Legacy browsers are still vulnerable to a Cross-Frame Scripting (XFS) vulnerability, so this option allows extra security hardening where iframes are not used in deployment Change-Id: I2fe6b243250608b340ee555062060dbdad1a49c4 Depends-On: I5c540e552efe738bdec8598f9257fa22ae651a76 Closes-Bug: #1641882 --- puppet/services/horizon.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 8eaf4044..3cdd069c 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -60,6 +60,7 @@ outputs: - 443 horizon::disable_password_reveal: true horizon::enforce_password_check: true + horizon::disallow_iframe_embed: true horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache horizon::django_session_engine: 'django.contrib.sessions.backends.cache' horizon::vhost_extra_params: -- cgit 1.2.3-korg