hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-17679) http-generic-click-jacking for WebHcat server
Date Fri, 13 Oct 2017 06:34:00 GMT

    [ https://issues.apache.org/jira/browse/HIVE-17679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16203112#comment-16203112
] 

Thejas M Nair commented on HIVE-17679:
--------------------------------------

FYI , HIVE-13853 adds ability to introduce X-XSRF-Header through config option for both HS2
(thrift http requests) and webhcat. If that is enabled, then requests from UI cannot be sent
as they can't add this custom header to the requests.


> http-generic-click-jacking for WebHcat server
> ---------------------------------------------
>
>                 Key: HIVE-17679
>                 URL: https://issues.apache.org/jira/browse/HIVE-17679
>             Project: Hive
>          Issue Type: Bug
>          Components: Security, WebHCat
>    Affects Versions: 2.1.1
>            Reporter: Aihua Xu
>            Assignee: Aihua Xu
>             Fix For: 3.0.0
>
>         Attachments: HIVE-17679.1.patch, HIVE-17679.2.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages from being
framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message