mirror of
https://github.com/ansible/awx.git
synced 2026-07-08 23:08:04 -02:30
prevent cross site request forgery in websockets w/ the CSRF token
now that we have the CSRF middleware, we have a reliable token available to us which we can use to verify individual ws_receive payloads; this is _simpler_ than making sure you've properly configured trusted origins, and it's also more secure than Origin header checks see: https://github.com/ansible/tower/issues/2661
This commit is contained in:
@@ -166,11 +166,6 @@ REMOTE_HOST_HEADERS = ['REMOTE_ADDR', 'REMOTE_HOST']
|
||||
# REMOTE_HOST_HEADERS will be trusted unconditionally')
|
||||
PROXY_IP_WHITELIST = []
|
||||
|
||||
# If Tower is behind a reverse proxy/load balancer, use this setting
|
||||
# to whitelist hostnames which represent trusted Origin hostnames from which
|
||||
# Tower should allow websocket connections.
|
||||
WEBSOCKET_ORIGIN_WHITELIST = []
|
||||
|
||||
# Note: This setting may be overridden by database settings.
|
||||
STDOUT_MAX_BYTES_DISPLAY = 1048576
|
||||
|
||||
|
||||
Reference in New Issue
Block a user