hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14148) Web UI Framable Page
Date Sat, 25 Jul 2015 00:32:04 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14641288#comment-14641288
] 

Sean Busbey commented on HBASE-14148:
-------------------------------------

you're correct about what's causing the audit failure. it either isn't detecting that as the
BSD license, or it doesn't recognize the BSD license as legit. We could rephrase the license
or configure rat to recognize it, but let's step back for a minute to address [~eclark]'s
concerns.

(Elliot, please correct me if I misstate your position)

{quote}
bq. I don't think that this is complex enough that we should be copying code from others.

I agree with you that it is very trivial piece of code and that anyone would have written
same. However, when i was reading on clickjacking, i came across it, read it and it was in
the back of my head when I was doing changes. So the fact remains, that i referenced it and
since the code looks same (it couldn't have looked different, right!), I'd would prefer to
have the new-BSD license here. We all are anyways interested in the feature, right?
{quote}

I don't read any opposition to the feature in Elliot's response, just an opposition to not
doing our own implementation. Is it possible for you to reimplement the configurable x-frame
headers in a way that does not look like the OWAS version? If it isn't, we'll need to find
a contributor who can reimplement this knowing only the spec (that is, someone who hasn't
seen the OWAS code).

> Web UI Framable Page
> --------------------
>
>                 Key: HBASE-14148
>                 URL: https://issues.apache.org/jira/browse/HBASE-14148
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Apekshit Sharma
>            Assignee: Apekshit Sharma
>         Attachments: HBASE-14148-master.patch, HBASE-14148-v2-master.patch, HBASE-14148-v3-master.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages from being
framed from another site.  
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message