@tony, correct. The procedure in step 2 does not recreate the original bug. By putting the link to src=http://$MY_CLOUD_IP:6080/vnc_auto.html?token=$INSTANCE_TOKEN> in the frame, the VNC code will be loaded from $MY_CLOUD and the origin header will show $MY_CLOUD. To recreate the bug, you need to install the VNC package on your local host (or another host), and then link to http://localhost/noVNC/vnc.html. After entering $MY_CLOUD_IP in the served console page, a request will be made from the browser to $MY_CLOUD. This request will be GET $MY_CLOUD_IP/websockify. The origin header on this request will be null, indicating the script came from the local host. The origin header will show $MY_CLOUD_IP on an acceptable request. It will show attacker.example.com on a truly malicious request. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1511541 Title: Possible incomplete fix for OSSA-2015-005 Status in OpenStack Compute (nova): Incomplete Status in OpenStack Security Advisory: Incomplete Bug description: Multiple reports that the fix for [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) is incomplete. https://bugs.launchpad.net/nova/+bug/1409142/comments/146 https://bugs.launchpad.net/nova/+bug/1409142/comments/149 Further investigation is needed. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1511541/+subscriptions