prevent cross site request forgery in websockets w/ the CSRF token

now that we have the CSRF middleware, we have a reliable token
available to us which we can use to verify individual ws_receive
payloads;  this is _simpler_ than making sure you've properly configured
trusted origins, and it's also more secure than Origin header checks

see: https://github.com/ansible/tower/issues/2661
This commit is contained in:
Ryan Petrello
2018-07-25 07:57:35 -04:00
parent 53c9c0b7f8
commit af84b25726
5 changed files with 28 additions and 88 deletions

View File

@@ -166,11 +166,6 @@ REMOTE_HOST_HEADERS = ['REMOTE_ADDR', 'REMOTE_HOST']
# REMOTE_HOST_HEADERS will be trusted unconditionally')
PROXY_IP_WHITELIST = []
# If Tower is behind a reverse proxy/load balancer, use this setting
# to whitelist hostnames which represent trusted Origin hostnames from which
# Tower should allow websocket connections.
WEBSOCKET_ORIGIN_WHITELIST = []
# Note: This setting may be overridden by database settings.
STDOUT_MAX_BYTES_DISPLAY = 1048576