ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-13351) Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI
Date Tue, 13 Oct 2015 15:59:05 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-13351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14955170#comment-14955170
] 

Hadoop QA commented on AMBARI-13351:
------------------------------------

{color:green}+1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12766333/AMBARI-13351_trunk_02.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 4 new or modified
test files.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number
of release audit warnings.

    {color:green}+1 core tests{color}.  The patch passed unit tests in ambari-server.

Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3955//testReport/
Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3955//console

This message is automatically generated.

> Security-related HTTP headers should be set separately for Ambari Views then for Ambari
server UI
> -------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-13351
>                 URL: https://issues.apache.org/jira/browse/AMBARI-13351
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.3
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: security
>             Fix For: 2.1.3
>
>         Attachments: AMBARI-13351_branch-2.1_01.patch, AMBARI-13351_branch-2.1_02.patch,
AMBARI-13351_trunk_01.patch, AMBARI-13351_trunk_02.patch
>
>
> The security-related HTTP headers should be set separately for the Ambari Views then
for the Ambari server UI. This is because they have different requirements.  For example the
Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View
must be able to execute in an iframe invoked from the same origin.
> The relevant headers are:
> * Strict-Transport-Security
> * X-Frame-Options
> * X-XSS-Protection
> These headers should be configurable via the ambari.properties such that they may be
turned on or off - and set to some custom value.
> The default value for this headers should be as follows:
> * Strict-Transport-Security: max-age=31536000
> * X-Frame-Options: SAMEORIGIN
> * X-XSS-Protection: 1; mode=block
> Strict-Transport-Security should only be turned on if SSL is enabled.
> The relevant Ambari properties should be:
> * Strict-Transport-Security: views.http.strict-transport-security
> * X-Frame-Options: views.http.x-frame-options
> * X-XSS-Protection: views.http.x-xss-protection
> By setting any of these to be empty, the header is to be turned off (or not set).
> For example:
> {code:title=Sets Strict-Transport-Security to a custom value}
> views.http.strict-transport-security=max-age=31536000; includeSubDomains
> {code}
> {code:title=Turns Strict-Transport-Security off}
> views.http.strict-transport-security=
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message