Merge "Expose horizon_disallow_iframe_embed in defaults"

defaults/main.yml

@@ -113,6 +113,14 @@ horizon_simple_ip_management: True
 # To enable ha router support in horizon set to True
 horizon_enable_ha_router: False
 
+# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
+# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
+# Scripting (XFS) vulnerability, so this option allows extra security hardening
+# where iframes are not used in deployment. Default setting is True.
+# For more information see:
+# http://tinyurl.com/anticlickjack
+horizon_disallow_iframe_embed: True
+
 # WSGI tuning parameters
 # horizon_wsgi_processes: 4
 # horizon_wsgi_threads: 4

templates/horizon_local_settings.py.j2

@@ -725,11 +725,7 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
 # where iframes are not used in deployment. Default setting is True.
 # For more information see:
 # http://tinyurl.com/anticlickjack
-{% if horizon_disallow_iframe_embed is defined %}
-DISALLOW_IFRAME_EMBED = {{ horizon_disallow_iframe_embed }}
-{% else %}
-#DISALLOW_IFRAME_EMBED = True
-{% endif %}
+DISALLOW_IFRAME_EMBED = {{ horizon_disallow_iframe_embed | bool }}
 
 # The default date range in the Overview panel meters - either <today> minus N
 # days (if the value is integer N), or from the beginning of the current month