if horizon (djanog) redirects to http://hacked_site after login, it would just perform a simple redirect [1] to the hacked site. Horizon stores the session information of the login user in the cookie, but the cookie will be scoped to the domain of horizon. So the bad site it redirected to will not be able to access any of the session information. [1] https://github.com/django/django/blob/master/django/contrib/auth/views.py#L47-L53 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1440958 Title: loosen validation on matching trusted dashboard Status in OpenStack Identity (Keystone): Fix Committed Bug description: In the current implementation for verifying where the SSO request came from, the host is grabbed from the 'origin' query parameter, and compared to the list of 'trusted_dashboards' in the config file. origin = context['query_string'].get('origin') host = urllib.parse.unquote_plus(origin) if host in CONF.federation.trusted_dashboard: ... https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287 This works, but unless the entry is marked perfectly in the config file, it won't match. We should loosen the validation that is performed, and maybe even use the HTTP Referer instead (and no longer require the 'origin' parameter from horizon). We should be able to decompose the Refer to figure out the scheme + hostname + path, and use that hostname to check against the trusted dashboards. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions