hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7338) Support same origin policy for cross site scripting prevention.
Date Tue, 17 Oct 2017 18:40:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208131#comment-16208131

Eric Yang commented on YARN-7338:

[~sunilg] It is very important to have CORS header included for Javascript, if javascript
is utilizing third party libraries.  In ui2 case, it downloads a number of third party javascript
libraries during build time.  Third party javascript libraries has potential to enable hacker
to trigger unexpected javascript calls to leak information to other servers.  CORS header
will help to ground the communication between browser and servers to the same origin.  Here
is an example of Bank of America website javascript.

Request URL:https://aero.bankofamerica.com/30306/I3n.js
Request Method:GET
Status Code:200 OK
Remote Address:
Referrer Policy:no-referrer-when-downgrade

Response Headers
Access-Control-Allow-Methods:GET, OPTIONS
Cache-Control:no-cache, no-store, must-revalidate
Date:Tue, 17 Oct 2017 18:22:23 GMT

There is Access-Control-Allow-Origin header being sent from server.

It is best to start the leak prevention before mistake is made.

> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>                 Key: YARN-7338
>                 URL: https://issues.apache.org/jira/browse/YARN-7338
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-ui-v2
>            Reporter: Vrushali C
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new web UI)
to branch2  http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3CCAD++eCmVVQNZQz9YnkVKcXaCzdkg50YiOFxktgk3mMMs9sHmUA@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application.  WebFilters setup for
existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to backporting
this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message