mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacob Janco (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MESOS-5918) Replace jsonp with a more secure alternative
Date Tue, 25 Apr 2017 20:41:04 GMT

    [ https://issues.apache.org/jira/browse/MESOS-5918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15983568#comment-15983568
] 

Jacob Janco edited comment on MESOS-5918 at 4/25/17 8:40 PM:
-------------------------------------------------------------

[~greggomann] [~anandmazumdar][~mlunoe][~xujyan] Reopening a bit of discussion on replacing
the jsonp workaround with CORS handling server side. An initial idea is to have a configurable
regex for domains available for cross origin requests which will match against sent Origin
headers. At this point I don't think we'll have to support preflighting requests to add this
functionality. Another consideration, should this be a libprocess level configuration or perhaps
a flag set on masters and agents?


was (Author: jjanco):
[~greggomann] [~anandmazumdar][~mlunoe] Reopening a bit of discussion on replacing the jsonp
workaround with CORS handling server side. An initial idea is to have a configurable regex
for domains available for cross origin requests which will match against sent Origin headers.
At this point I don't think we'll have to support preflighting requests to add this functionality.
Another consideration, should this be a libprocess level configuration or perhaps a flag set
on masters and agents?

> Replace jsonp with a more secure alternative
> --------------------------------------------
>
>                 Key: MESOS-5918
>                 URL: https://issues.apache.org/jira/browse/MESOS-5918
>             Project: Mesos
>          Issue Type: Improvement
>          Components: webui
>            Reporter: Yan Xu
>
> We currently use the {{jsonp}} technique to bypass CORS check. This practice has many
security concerns (see discussions on MESOS-5911) so we should replace it with a better alternative.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message