[jira] [Created] (ZEPPELIN-245) Zeppelin enables CORS (Cross-Origin Request Sharing) by default with insecure settings (Access-Control-Allow-Origin: *)

["Joel Zambrano (JIRA)" <ji...@apache.org>]

Joel Zambrano created ZEPPELIN-245:
--------------------------------------

             Summary: Zeppelin enables CORS (Cross-Origin Request Sharing) by default with insecure settings (Access-Control-Allow-Origin: *)
                 Key: ZEPPELIN-245
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-245
             Project: Zeppelin
          Issue Type: Bug
          Components: Core
    Affects Versions: 0.5.0
            Reporter: Joel Zambrano
             Fix For: 0.6.0


Description:
CORS (Cross-Origin Request Sharing) is a mechanism that allows restricted resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. It is possible to restrict cross-origin request to just verified and authorized domains by providing their domain in the http response header Access-Control-Allow-Origin. The insecure value, specified by the star (*), allows requests coming from any source. In such context, a malicious user could force a victim user to surf a web page containing a malicious client-side code to interact with the Zeppelin APIs.
 
Recommendations:
It is strongly recommended to disable CORS if not needed by removing the Zeppelin source code lines. According to our analysis, there's no need to support Cross-Origin APIs requests.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)