hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sunil G (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7338) Support same origin policy for cross site scripting prevention.
Date Wed, 18 Oct 2017 02:48:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208739#comment-16208739
] 

Sunil G commented on YARN-7338:
-------------------------------

Thanks [~eyang] for sharing more points here.
{noformat}
Request URL:https://tags.tiqcdn.com/utag/bofa/main/prod/utag.js
Request Method:GET
Status Code:200 
Remote Address:104.121.229.167:443
Referrer Policy:no-referrer-when-downgrade
{noformat}

Response Headers
{noformat}
accept-ranges:bytes
cache-control:max-age=300
content-encoding:gzip
content-length:27343
content-type:application/x-javascript
date:Wed, 18 Oct 2017 02:17:54 GMT
etag:"bc10f1dc838dfe4d03f3e9d5c204f760:1506620434"
expires:Wed, 18 Oct 2017 02:22:54 GMT
last-modified:Thu, 28 Sep 2017 17:40:34 GMT
server:Apache
status:200
vary:Accept-Encoding
{noformat}

When I referred various static contents from BOA or other sites, I saw mostly responses like
above. But the link which u shared has {{Access-Control-Allow-Credentials:true}}. I am not
sure why this is not there for all pages. please correct me if I missed some other headers
here.

I am tying to phrase the potential security threat model explained by you.
# Third party js libs used to compile some *.js* files of ui2 has harmful contents.
# UI2 browser end point downloads whole contents from server to its cache.
# This content is hence in client end (NOT at server end). Could this impact the REST response
coming from NM or RM which is already protected by XFS and other filters?

I am also in line with you where we have to protect contents before getting any issue. I checked
code and there is a way which this filters could be added. However this detailed discussion
will help folks to re-iterate on real reason why static contents needs cors protection as
few statics were not protected in general.

> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>
>                 Key: YARN-7338
>                 URL: https://issues.apache.org/jira/browse/YARN-7338
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-ui-v2
>            Reporter: Vrushali C
>
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new web UI)
to branch2  http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3CCAD++eCmVVQNZQz9YnkVKcXaCzdkg50YiOFxktgk3mMMs9sHmUA@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application.  WebFilters setup for
existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to backporting
this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message