You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by "Dmytro Kondriukov (Jira)" <ji...@apache.org> on 2020/03/18 09:07:00 UTC

[jira] [Resolved] (DRILL-7646) Resources types: *.ttf and data:image/gif received without response headers

     [ https://issues.apache.org/jira/browse/DRILL-7646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dmytro Kondriukov resolved DRILL-7646.
--------------------------------------
    Resolution: Not A Bug

those resources taken from browser cache, not send by server.
not a bug

> Resources types: *.ttf and data:image/gif received without response headers
> ---------------------------------------------------------------------------
>
>                 Key: DRILL-7646
>                 URL: https://issues.apache.org/jira/browse/DRILL-7646
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.17.0
>            Reporter: Dmytro Kondriukov
>            Priority: Major
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
>   cluster-id: "drillbits1",
>   zk.connect: "localhost:5181"
>   impersonation: {
>         enabled: true,
>         max_chained_user_hops: 3
>         },
>     security: {
>         auth.mechanisms : ["PLAIN"],
>         },
>     security.user.auth: {
>     enabled: true,
>     packages += "org.apache.drill.exec.rpc.user.security",
>     impl: "pam4j",
>     pam_profiles: [ "sudo", "login" ]
>     }
>   http: {
>     ssl_enabled: true,.
>     jetty.server.response.headers: {
>       "X-XSS-Protection": "1; mode=block",
>       "X-Content-Type-Options": "nosniff",
>       "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
>       "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
>     }
>   }
> }
> {noformat}
> Steps:
> # Open in Browser console tab "network"
> # Inspect web resources for presence response headers:
> * X-XSS-Protection
> * X-Content-Type-Options
> * Strict-Transport-Security
> * Content-Security-Policy
> *Expected result:* all resources are having tested headers
> *Actual result:* Drillbit Web-IU send *.ttf and data:image/gif without response header
> and some *.woff resources when user performed logout.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)