Return-Path: 
 <yarn-issues-return-35280-apmail-hadoop-yarn-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A2C0711581
	for <apmail-hadoop-yarn-issues-archive@minotaur.apache.org>;
 Tue,  9 Sep 2014 21:33:29 +0000 (UTC)
Received: (qmail 1007 invoked by uid 500); 9 Sep 2014 21:33:29 -0000
Delivered-To: apmail-hadoop-yarn-issues-archive@hadoop.apache.org
Received: (qmail 961 invoked by uid 500); 9 Sep 2014 21:33:29 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Reply-To: yarn-issues@hadoop.apache.org
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 949 invoked by uid 99); 9 Sep 2014 21:33:29 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Sep 2014 21:33:29 +0000
Date: Tue, 9 Sep 2014 21:33:29 +0000 (UTC)
From: "Jonathan Eagles (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.12740233.1410295320000.31767.1410298409377@Atlassian.JIRA>
In-Reply-To: <JIRA.12740233.1410295320000@Atlassian.JIRA>
References: <JIRA.12740233.1410295320000@Atlassian.JIRA>
 <JIRA.12740233.1410295320612@arcas>
Subject: [jira] [Commented] (YARN-2528) Cross Origin Filter Http response
 split vulnerability protection rejects valid origins
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14127592#comment-14127592 ] 

Jonathan Eagles commented on YARN-2528:
---------------------------------------

[~zjshen], sorry to bother you again. Found another bug while working on getting the Tez UI running in a hosted environment. Can you give a review?

> Cross Origin Filter Http response split vulnerability protection rejects valid origins
> --------------------------------------------------------------------------------------
>
>                 Key: YARN-2528
>                 URL: https://issues.apache.org/jira/browse/YARN-2528
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>         Attachments: YARN-2528-v1.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection and major browser reject the encoded Origin. An adequate protection is simply to remove all CRs LFs as in the case of PHP's header function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)