Return-Path: 
 <yarn-issues-return-35690-apmail-hadoop-yarn-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 581611114B
	for <apmail-hadoop-yarn-issues-archive@minotaur.apache.org>;
 Sat, 13 Sep 2014 01:19:35 +0000 (UTC)
Received: (qmail 59670 invoked by uid 500); 13 Sep 2014 01:19:35 -0000
Delivered-To: apmail-hadoop-yarn-issues-archive@hadoop.apache.org
Received: (qmail 59621 invoked by uid 500); 13 Sep 2014 01:19:35 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Reply-To: yarn-issues@hadoop.apache.org
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 59603 invoked by uid 99); 13 Sep 2014 01:19:35 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 13 Sep 2014 01:19:35 +0000
Date: Sat, 13 Sep 2014 01:19:35 +0000 (UTC)
From: "Jonathan Eagles (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.12740233.1410295320000.25107.1410571175040@Atlassian.JIRA>
In-Reply-To: <JIRA.12740233.1410295320000@Atlassian.JIRA>
References: <JIRA.12740233.1410295320000@Atlassian.JIRA>
 <JIRA.12740233.1410295320612@arcas>
Subject: [jira] [Updated] (YARN-2528) Cross Origin Filter Http response
 split vulnerability protection rejects valid origins
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jonathan Eagles updated YARN-2528:
----------------------------------
    Attachment:     (was: YARN-2528-v2-split-header.patch)

> Cross Origin Filter Http response split vulnerability protection rejects valid origins
> --------------------------------------------------------------------------------------
>
>                 Key: YARN-2528
>                 URL: https://issues.apache.org/jira/browse/YARN-2528
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>         Attachments: YARN-2528-v1.patch, YARN-2528-v2.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection and major browser reject the encoded Origin. An adequate protection is simply to remove all CRs LFs as in the case of PHP's header function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)