mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anand Mazumdar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MESOS-5918) Replace jsonp with a more secure alternative
Date Thu, 27 Apr 2017 20:43:04 GMT

    [ https://issues.apache.org/jira/browse/MESOS-5918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15987624#comment-15987624
] 

Anand Mazumdar commented on MESOS-5918:
---------------------------------------

We intend to move the Web UI eventually to use the v1 Operator API. When that happens, we
won't be able to use jsonp at all owing to not being able to use {{POST}} requests. Based
on previous discussions with UI folks, we did not want to use CORS due to security implications.
Instead, the plan was to expose an endpoint on the master that would proxy requests to the
agent (e.g., {{/forward}}). The endpoint would still be guarded by AuthN.

See MESOS-5735 for more context.

> Replace jsonp with a more secure alternative
> --------------------------------------------
>
>                 Key: MESOS-5918
>                 URL: https://issues.apache.org/jira/browse/MESOS-5918
>             Project: Mesos
>          Issue Type: Improvement
>          Components: webui
>            Reporter: Yan Xu
>
> We currently use the {{jsonp}} technique to bypass CORS check. This practice has many
security concerns (see discussions on MESOS-5911) so we should replace it with a better alternative.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message