hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sunil G (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7338) Support same origin policy for cross site scripting prevention.
Date Wed, 18 Oct 2017 02:48:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208739#comment-16208739

Sunil G commented on YARN-7338:

Thanks [~eyang] for sharing more points here.
Request URL:https://tags.tiqcdn.com/utag/bofa/main/prod/utag.js
Request Method:GET
Status Code:200 
Remote Address:
Referrer Policy:no-referrer-when-downgrade

Response Headers
date:Wed, 18 Oct 2017 02:17:54 GMT
expires:Wed, 18 Oct 2017 02:22:54 GMT
last-modified:Thu, 28 Sep 2017 17:40:34 GMT

When I referred various static contents from BOA or other sites, I saw mostly responses like
above. But the link which u shared has {{Access-Control-Allow-Credentials:true}}. I am not
sure why this is not there for all pages. please correct me if I missed some other headers

I am tying to phrase the potential security threat model explained by you.
# Third party js libs used to compile some *.js* files of ui2 has harmful contents.
# UI2 browser end point downloads whole contents from server to its cache.
# This content is hence in client end (NOT at server end). Could this impact the REST response
coming from NM or RM which is already protected by XFS and other filters?

I am also in line with you where we have to protect contents before getting any issue. I checked
code and there is a way which this filters could be added. However this detailed discussion
will help folks to re-iterate on real reason why static contents needs cors protection as
few statics were not protected in general.

> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>                 Key: YARN-7338
>                 URL: https://issues.apache.org/jira/browse/YARN-7338
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-ui-v2
>            Reporter: Vrushali C
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new web UI)
to branch2  http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3CCAD++eCmVVQNZQz9YnkVKcXaCzdkg50YiOFxktgk3mMMs9sHmUA@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application.  WebFilters setup for
existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to backporting
this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message