----- Original Message -----
From: "Martin Sivak" <msivak(a)redhat.com>
To: "Vojtech Szocs" <vszocs(a)redhat.com>
Cc: "Piotr Kliczewski" <piotr.kliczewski(a)gmail.com>, devel(a)ovirt.org
Sent: Monday, September 22, 2014 2:04:32 PM
Subject: Re: [ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
> Disabling mixed "active" content in browser is not a proper solution.
> UI plugin should load its content in a way that is compatible with
> protocol (i.e. HTTPS) used for enclosing page.
It is the only solution when the remote service does not support SSL. We
might include SSL in some later version, but not for 3.5.
If you're requesting remote service directly from within HTTPS context,
and this remote service doesn't support HTTPS access, you are correct,
the only option is to disable mixed active content in the browser.
However, you could also work around this problem via proxy, for example.
> Loading HTTP content in HTTPS page is considered security vulnerability
> and should be avoided. By default, Firefox blocks mixed "active" content.
I noticed and there is nothing I can do about that, but I never saw the
rationale for that. Although I can see how M-i-M could compromise https page
if handled poorly.
I think that [1] explains the rationale behind mixed content, which is
divided into two separate categories (active content & display content).
[1]
https://developer.mozilla.org/en-US/docs/Security/MixedContent
Sniffers can steal sensitive data sent over HTTP. Man-in-Middle attacker
can rewrite HTTP response to gain access to parts of web page (DOM) and
ultimately compromise security of whole (HTTPS) page. This is why browsers
typically block mixed active content (XMLHttpRequest, <iframe>, <script>,
etc.)
> This happens when WebAdmin page is loaded as HTTPS and UI plugin uses
> "active" content (XHR object, <script> etc.) that loads data as
HTTP.
JSON is hardly active. But again.. I can't change the browser.
Maliciously rewritten JSON can become active, containing functions. When
interpreted via eval(), it becomes security issue. This is one of reasons
why JSON.parse() was added to ES5 spec, to safely evaluate JSON strings.
--
Martin Sivák
msivak(a)redhat.com
Red Hat Czech
RHEV-M SLA / Brno, CZ
----- Original Message -----
>
>
> ----- Original Message -----
> > From: "Piotr Kliczewski" <piotr.kliczewski(a)gmail.com>
> > To: devel(a)ovirt.org
> > Sent: Wednesday, September 17, 2014 5:25:23 PM
> > Subject: [ovirt-devel] [ovirt-users] [OVIRT-3.5-TEST-DAY-3] Optaplanner
> >
> > Hi,
> >
> > I followed deployment manual from [1] and configured two DCs with
> > single cluster each.
> > During configuration of the UI I noticed that in optimizer result tab
> > there
> > was:
> >
> > Status: Data refresh failed: undefined
> >
> > with Martin's help we found that when setting
> >
> > security.mixed_content.block_active_content
>
> This happens when WebAdmin page is loaded as HTTPS and UI plugin uses
> "active" content (XHR object, <script> etc.) that loads data as
HTTP.
>
> Loading HTTP content in HTTPS page is considered security vulnerability
> and should be avoided. By default, Firefox blocks mixed "active" content.
>
> More details here:
https://support.mozilla.org/en-US/questions/967115
>
> Disabling mixed "active" content in browser is not a proper solution.
> UI plugin should load its content in a way that is compatible with
> protocol (i.e. HTTPS) used for enclosing page.
>
> >
> > to false in FF configuration it works and I can see:
> >
> > Status: Solution received
> >
> > During the installation of second host network configuration failed
> > and I opened BZ [2].
> > When I restored network configuration to the host I wanted to
> > provision vms to see optaplanner
> > suggestions but my rhel6 failed to start any vms due to:
> >
> > Thread-8102::DEBUG::2014-09-17
> > 16:36:16,216::libvirtconnection::143::root::(wrapper) Unknown
> > libvirterror: ecode: 38 edom: 0 level: 2 message: Child quit during
> > startup handshake: Input/output error
> > Thread-8102::DEBUG::2014-09-17
> > 16:36:16,217::vm::2289::vm.Vm::(_startUnderlyingVm)
> > vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::_ongoingCreations
> > released
> > Thread-8102::ERROR::2014-09-17
> > 16:36:16,217::vm::2326::vm.Vm::(_startUnderlyingVm)
> > vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::The vm start process
> > failed
> > Traceback (most recent call last):
> > File "/usr/share/vdsm/virt/vm.py", line 2266, in
_startUnderlyingVm
> > self._run()
> > File "/usr/share/vdsm/virt/vm.py", line 3368, in _run
> > self._connection.createXML(domxml, flags),
> > File
"/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py",
> > line 111, in wrapper
> > ret = f(*args, **kwargs)
> > File "/usr/lib64/python2.6/site-packages/libvirt.py", line 2665,
in
> > createXML
> > if ret is None:raise libvirtError('virDomainCreateXML() failed',
> > conn=self)
> > libvirtError: Child quit during startup handshake: Input/output error
> > Thread-8102::DEBUG::2014-09-17
> > 16:36:16,218::vm::2838::vm.Vm::(setDownStatus)
> > vmId=`9343ea99-4c27-47d3-a4b6-4bd37013ae99`::Changed state to Down:
> > Child quit during startup handshake: Input/output error (code=1)
> >
> > Vdsm is not able to start any vms but engine still thinks that host is
> > 'UP'.
> >
> > Thanks,
> > Piotr
> >
> > [1]
http://www.ovirt.org/Features/Optaplanner
> > [2]
https://bugzilla.redhat.com/show_bug.cgi?id=1142909
> > _______________________________________________
> > Devel mailing list
> > Devel(a)ovirt.org
> >
http://lists.ovirt.org/mailman/listinfo/devel
> >
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/devel
>