hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13008) Add XFS Filter for UIs to Hadoop Common
Date Fri, 08 Apr 2016 22:07:25 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13008?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Larry McCay updated HADOOP-13008:
---------------------------------
    Description: 
Cross Frame Scripting (XFS) prevention for UIs can be provided through a common servlet filter.
This filter will set the X-Frame-Options HTTP header to DENY unless configured to another
valid setting.

There are a number of UIs that could just add this to their filters as well as the Yarn webapp
proxy which could add it for all it's proxied UIs - if appropriate.

  was:
CSRF prevention for REST APIs can be provided through a common servlet filter. This filter
would check for the existence of an expected (configurable) HTTP header - such as X-XSRF-Header.

The fact that CSRF attacks are entirely browser based means that the above approach can ensure
that requests are coming from either: applications served by the same origin as the REST API
or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest
from another origin.


> Add XFS Filter for UIs to Hadoop Common
> ---------------------------------------
>
>                 Key: HADOOP-13008
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13008
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 2.8.0
>
>
> Cross Frame Scripting (XFS) prevention for UIs can be provided through a common servlet
filter. This filter will set the X-Frame-Options HTTP header to DENY unless configured to
another valid setting.
> There are a number of UIs that could just add this to their filters as well as the Yarn
webapp proxy which could add it for all it's proxied UIs - if appropriate.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message