hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12234) Web UI Framable Page
Date Fri, 08 Jan 2016 15:38:39 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15089358#comment-15089358
] 

Steve Loughran commented on HADOOP-12234:
-----------------------------------------

reviewing this, I am pleased to see that we don't need to care about IE7 any more. Which is
good, as nobody was going to test it anyway.

a filter in hadoop-common seems the best place for it. The main issue is: what turns it on
and where? I'm with Haohui here: make it something projects explicitly turn on/off if they
choose. HDFS's needs "part of a management console" are different from a YARN app where that's
not a perceived use case.

On that topic, we'd probably recommend that YARN apps use it too, wouldn't we? Or at least
have the RM proxy add it when filtering requests, which would give it to the apps automatically.

> Web UI Framable Page
> --------------------
>
>                 Key: HADOOP-12234
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12234
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Appy
>            Assignee: Appy
>         Attachments: HADOOP-12234-v2-master.patch, HADOOP-12234-v3-master.patch, HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages from being
framed from another site.  
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message