From ad96a92fa7e96e6d0e15be7b5cc4e3599823a84b Mon Sep 17 00:00:00 2001
From: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
Date: Mon, 11 Mar 2024 17:06:09 -0400
Subject: [PATCH] Align Orign and Host header (#14970)

* Align Orign and Host header

* Before this change the Host: header was runserver. Seems to be set by
  nginx upstream flow.
* After this change we explicitly set the Host: header
* More about CSRF checks ...
  CSRF checks that Origin == Host. Think about how the browser works.

  <browser goes to awx.com>
  "I'm executing javascript that I downloaded from awx.com (ORIGIN) and
  I'm making an XHR POST request to awx.com (HOST)"
  Server verifies; Host: header == Origin: header; OK!

  vs. the malicious case.

  <hacker injects javascript code into google.com>
  <browser goes to google.com>
  "I'm executing javascript that I downloaded from google.com (ORIGIN)
  and I'm making an XHR POST request to awx.com (HOST)"
  Server verifies; Host: header != Origin: header; NOT OK!

* Update awx/settings/development.py

---------

Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
---
 awx/settings/development.py                                      | 1 -
 .../ansible/roles/sources/templates/nginx.locations.conf.j2      | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/awx/settings/development.py b/awx/settings/development.py
index e518c1204f78..68fa75ceb8c2 100644
--- a/awx/settings/development.py
+++ b/awx/settings/development.py
@@ -74,7 +74,6 @@
 AWX_DISABLE_TASK_MANAGERS = False
 
 # Needed for launching runserver in debug mode
-CSRF_TRUSTED_ORIGINS = ["https://localhost:8043"]
 # ======================!!!!!!! FOR DEVELOPMENT ONLY !!!!!!!=================================
 
 # Store a snapshot of default settings at this point before loading any
diff --git a/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2 b/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2
index 404be4ade26b..5e79c1bfdd34 100644
--- a/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2
@@ -46,4 +46,5 @@ location @fallback {
     # Add trailing / if missing
     rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
     proxy_pass http://runserver;
+    proxy_set_header Host $http_host;
 }