Autobahn|Python incorrectly checks the Origin header when the 'allowedOrigins' value is set. This can allow third parties to execute legitimate requests for WAMP WebSocket requests against an Autobahn|Python/Crossbar.io server within another browser's context. Upstream bug: https://github.com/crossbario/autobahn-python/issues/691 Upstream fixes (second one only adds documentation): https://github.com/crossbario/autobahn-python/pull/693/commits/2ef13a6804054de74eb36455b58a64a3c701f889 https://github.com/crossbario/autobahn-python/pull/693/commits/13357252435442e8372be731f176260acedc40e0
Created python-autobahn tracking bugs for this issue: Affects: fedora-24 [bug 1359792]
python-autobahn-0.10.9-1.gitcf10233.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
OSP 10 will use zaqar in the undercloud. The websockets interface for Zaqar does require autobahn and we are using it from both Mistral workflows and the UI to help transport async messages to clients. I'm not aware of a BZ which outlines all of our usages patterns. Zaqar has multiple transports. We will typically: 1) send messages to a Zaqar queue over HTTP 2) get messages from a Zaqar queue over either HTTP or via websockets (autobahn). The case for websockets could come from either python-tripleoclient (a remote client) or from the UI running in a web browser.