Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ambari.apache.org
Date: Tue, 13 Oct 2015 15:59:05 +0000 (UTC)
From: "Hadoop QA (JIRA)" <jira@apache.org>
To: dev@ambari.apache.org
Message-ID: <JIRA.12903233.1444277623000.25392.1444751945118@Atlassian.JIRA>
In-Reply-To: <JIRA.12903233.1444277623000@Atlassian.JIRA>
References: <JIRA.12903233.1444277623000@Atlassian.JIRA>
 <JIRA.12903233.1444277623208@arcas>
Subject: [jira] [Commented] (AMBARI-13351) Security-related HTTP headers
 should be set separately for Ambari Views then for Ambari server UI
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/AMBARI-13351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14955170#comment-14955170 ] 

Hadoop QA commented on AMBARI-13351:
------------------------------------

{color:green}+1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12766333/AMBARI-13351_trunk_02.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 4 new or modified test files.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of javac compiler warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number of release audit warnings.

    {color:green}+1 core tests{color}.  The patch passed unit tests in ambari-server.

Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/3955//testReport/
Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/3955//console

This message is automatically generated.

> Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI
> -------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-13351
>                 URL: https://issues.apache.org/jira/browse/AMBARI-13351
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.3
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: security
>             Fix For: 2.1.3
>
>         Attachments: AMBARI-13351_branch-2.1_01.patch, AMBARI-13351_branch-2.1_02.patch, AMBARI-13351_trunk_01.patch, AMBARI-13351_trunk_02.patch
>
>
> The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements.  For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
> The relevant headers are:
> * Strict-Transport-Security
> * X-Frame-Options
> * X-XSS-Protection
> These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
> The default value for this headers should be as follows:
> * Strict-Transport-Security: max-age=31536000
> * X-Frame-Options: SAMEORIGIN
> * X-XSS-Protection: 1; mode=block
> Strict-Transport-Security should only be turned on if SSL is enabled.
> The relevant Ambari properties should be:
> * Strict-Transport-Security: views.http.strict-transport-security
> * X-Frame-Options: views.http.x-frame-options
> * X-XSS-Protection: views.http.x-xss-protection
> By setting any of these to be empty, the header is to be turned off (or not set).
> For example:
> {code:title=Sets Strict-Transport-Security to a custom value}
> views.http.strict-transport-security=max-age=31536000; includeSubDomains
> {code}
> {code:title=Turns Strict-Transport-Security off}
> views.http.strict-transport-security=
> {code}


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)