prevent cross site request forgery in websockets w/ the CSRF token

now that we have the CSRF middleware, we have a reliable token available to us which we can use to verify individual ws_receive payloads; this is _simpler_ than making sure you've properly configured trusted origins, and it's also more secure than Origin header checks see: https://github.com/ansible/tower/issues/2661
2026-05-19 23:07:42 -02:30 · 2018-07-25 07:57:35 -04:00
parent 53c9c0b7f8
commit af84b25726
5 changed files with 28 additions and 88 deletions
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@@ -101,17 +101,6 @@ register(
    category_slug='system',
 )

-register(
-    'WEBSOCKET_ORIGIN_WHITELIST',
-    field_class=fields.StringListField,
-    label=_('Websocket Origin Whitelist'),
-    help_text=_("If Tower is behind a reverse proxy/load balancer, use this setting "
-                "to whitelist hostnames which represent trusted Origin hostnames from which "
-                "Tower should allow websocket connections."),
-    category=_('System'),
-    category_slug='system',
-)
-

 def _load_default_license_from_file():
    try: