hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7338) Support same origin policy for cross site scripting prevention.
Date Tue, 17 Oct 2017 18:40:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208131#comment-16208131
] 

Eric Yang commented on YARN-7338:
---------------------------------

[~sunilg] It is very important to have CORS header included for Javascript, if javascript
is utilizing third party libraries.  In ui2 case, it downloads a number of third party javascript
libraries during build time.  Third party javascript libraries has potential to enable hacker
to trigger unexpected javascript calls to leak information to other servers.  CORS header
will help to ground the communication between browser and servers to the same origin.  Here
is an example of Bank of America website javascript.

Request
{code}
Request URL:https://aero.bankofamerica.com/30306/I3n.js
Request Method:GET
Status Code:200 OK
Remote Address:123.123.123.123:443
Referrer Policy:no-referrer-when-downgrade
{code}

Response Headers
{code}
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, OPTIONS
Access-Control-Allow-Origin:https://www.bankofamerica.com
Cache-Control:no-cache, no-store, must-revalidate
Connection:keep-alive
Content-Encoding:gzip
Content-Type:application/x-javascript
Date:Tue, 17 Oct 2017 18:22:23 GMT
{code}

There is Access-Control-Allow-Origin header being sent from server.

It is best to start the leak prevention before mistake is made.

> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>
>                 Key: YARN-7338
>                 URL: https://issues.apache.org/jira/browse/YARN-7338
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-ui-v2
>            Reporter: Vrushali C
>
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new web UI)
to branch2  http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3CCAD++eCmVVQNZQz9YnkVKcXaCzdkg50YiOFxktgk3mMMs9sHmUA@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application.  WebFilters setup for
existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to backporting
this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message