So I'm not certain this represents a security issue. From comment 2: 1. start a localhost web server with python 2. create a index.html file for localhost which has a <iframe> with an effective url of openstack web console page 3. open the http://localhost page in browser and the web console is shown normally In step 2 I created the index.html to look like: <iframe src=http://$MY_CLOUD_IP:6080/vnc_auto.html?token=$INSTANCE_TOKEN></iframe> With this in place yes I can visit http://localhost/ and get a VNC console in my instance but this differs from the original bug in several ways 1. I can't find a way to read the token/cookie in my browser and have it populate across domains 2. The upgrade from http:// -> ws:// is all happening within the infrastructure of the (albeit small) cloud. and therefore is valid as far as the Origin: Header is concerned. If we can do either 1. host vnc_auto.html on localhost, and stull get access to the console ; or 2. Read the token/cookie from the browser from a domain NOT associated with $MY_CLOUD Then I agree we have an issue. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1511541 Title: Possible incomplete fix for OSSA-2015-005 Status in OpenStack Compute (nova): New Status in OpenStack Security Advisory: Incomplete Bug description: Multiple reports that the fix for [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) is incomplete. https://bugs.launchpad.net/nova/+bug/1409142/comments/146 https://bugs.launchpad.net/nova/+bug/1409142/comments/149 Further investigation is needed. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1511541/+subscriptions