You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Andrew Sherman (Code Review)" <ge...@cloudera.org> on 2022/01/21 19:58:32 UTC
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Andrew Sherman has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18168
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
IMPALA-11078 Add simple CSP header to webui.
Content Security Policy (CSP) is a computer security standard designed
to prevent cross-site scripting, clickjacking and other code injection
attacks. CSP provides a method for websites to declare approved origins
of content that browsers should be allowed to load on that website.
A good resource is https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If a page breaks the rules then the included script or css will
typically not be run by the browser.
In the Impala webui we use a CSP header to declare that all web content
comes from the impalad, with some 'unsafe' inline code.
A new server flag "--disable_content_security_policy_header=true" can be
set to disable the emission of this header in case of any compatibility
issues.
A few small changes were needed to make this CDP header work. Chart.js
was previously included via http, this was changed to being bundled
like other javascript and css we use. Some dodgy array code that
handles connection metrics was also fixed.
TESTING:
The main webui tests all now validate the CDP header is present.
A test for the new flag is also added.
Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
---
M be/src/util/webserver.cc
M tests/custom_cluster/test_web_pages.py
M tests/webserver/test_web_pages.py
A www/Chart-2.7.3.min.js
M www/admission_controller.tmpl
M www/rpcz.tmpl
6 files changed, 63 insertions(+), 24 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/18168/1
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 1
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
IMPALA-11078 Add simple CSP header to webui.
Content Security Policy (CSP) is a computer security standard designed
to prevent cross-site scripting, clickjacking and other code injection
attacks. CSP provides a method for websites to declare approved origins
of content that browsers should be allowed to load on that website.
A good resource is https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If a page breaks the rules then the included script or css will
typically not be run by the browser.
In the Impala webui we use a CSP header to declare that all web content
comes from the impalad, with some 'unsafe' inline code.
A new server flag "--disable_content_security_policy_header=true" can be
set to disable the emission of this header in case of any compatibility
issues.
A few small changes were needed to make this CSP header work. Chart.js
was previously included via http, this was changed to being bundled
like other javascript and css we use. Some dodgy array code that
handles connection metrics was also fixed.
TESTING:
The main webui tests all now validate the CSP header is present.
A test for the new flag is also added.
Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Reviewed-on: http://gerrit.cloudera.org:8080/18168
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
M LICENSE.txt
M be/src/util/webserver.cc
M bin/rat_exclude_files.txt
M tests/custom_cluster/test_web_pages.py
M tests/webserver/test_web_pages.py
A www/Chart-2.7.3.min.js
M www/admission_controller.tmpl
M www/rpcz.tmpl
8 files changed, 86 insertions(+), 24 deletions(-)
Approvals:
Impala Public Jenkins: Looks good to me, approved; Verified
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 7
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 2:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/18168/2/tests/custom_cluster/test_web_pages.py
File tests/custom_cluster/test_web_pages.py:
http://gerrit.cloudera.org:8080/#/c/18168/2/tests/custom_cluster/test_web_pages.py@251
PS2, Line 251:
flake8: E261 at least two spaces before inline comment
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 2
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Fri, 21 Jan 2022 20:04:58 +0000
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 6: Verified+1
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 6
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Comment-Date: Tue, 25 Jan 2022 22:52:49 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 6: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 6
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Comment-Date: Mon, 24 Jan 2022 18:20:25 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Andrew Sherman (Code Review)" <ge...@cloudera.org>.
Hello Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/18168
to look at the new patch set (#4).
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
IMPALA-11078 Add simple CSP header to webui.
Content Security Policy (CSP) is a computer security standard designed
to prevent cross-site scripting, clickjacking and other code injection
attacks. CSP provides a method for websites to declare approved origins
of content that browsers should be allowed to load on that website.
A good resource is https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If a page breaks the rules then the included script or css will
typically not be run by the browser.
In the Impala webui we use a CSP header to declare that all web content
comes from the impalad, with some 'unsafe' inline code.
A new server flag "--disable_content_security_policy_header=true" can be
set to disable the emission of this header in case of any compatibility
issues.
A few small changes were needed to make this CDP header work. Chart.js
was previously included via http, this was changed to being bundled
like other javascript and css we use. Some dodgy array code that
handles connection metrics was also fixed.
TESTING:
The main webui tests all now validate the CDP header is present.
A test for the new flag is also added.
Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
---
M LICENSE.txt
M be/src/util/webserver.cc
M bin/rat_exclude_files.txt
M tests/custom_cluster/test_web_pages.py
M tests/webserver/test_web_pages.py
A www/Chart-2.7.3.min.js
M www/admission_controller.tmpl
M www/rpcz.tmpl
8 files changed, 86 insertions(+), 24 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/18168/4
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 4
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Andrew Sherman (Code Review)" <ge...@cloudera.org>.
Andrew Sherman has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 5:
(2 comments)
http://gerrit.cloudera.org:8080/#/c/18168/4//COMMIT_MSG
Commit Message:
http://gerrit.cloudera.org:8080/#/c/18168/4//COMMIT_MSG@24
PS4, Line 24: CSP
> nit: CSP
Ha, you can see where that came from! Thanks
http://gerrit.cloudera.org:8080/#/c/18168/4//COMMIT_MSG@30
PS4, Line 30: CSP
> nit: CSP
done
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 5
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Comment-Date: Mon, 24 Jan 2022 18:09:36 +0000
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Wenzhe Zhou (Code Review)" <ge...@cloudera.org>.
Wenzhe Zhou has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 5: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 5
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Comment-Date: Mon, 24 Jan 2022 18:16:03 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 1:
Build Failed
https://jenkins.impala.io/job/gerrit-code-review-checks/10029/ : Initial code review checks failed. See linked job for details on the failure.
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 1
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Fri, 21 Jan 2022 20:20:47 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 3:
Build Failed
https://jenkins.impala.io/job/gerrit-code-review-checks/10031/ : Initial code review checks failed. See linked job for details on the failure.
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 3
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Fri, 21 Jan 2022 20:27:50 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 4:
Build Successful
https://jenkins.impala.io/job/gerrit-code-review-checks/10033/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 4
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Fri, 21 Jan 2022 22:37:43 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 1:
(2 comments)
http://gerrit.cloudera.org:8080/#/c/18168/1/tests/custom_cluster/test_web_pages.py
File tests/custom_cluster/test_web_pages.py:
http://gerrit.cloudera.org:8080/#/c/18168/1/tests/custom_cluster/test_web_pages.py@251
PS1, Line 251:
flake8: E261 at least two spaces before inline comment
http://gerrit.cloudera.org:8080/#/c/18168/1/tests/webserver/test_web_pages.py
File tests/webserver/test_web_pages.py:
http://gerrit.cloudera.org:8080/#/c/18168/1/tests/webserver/test_web_pages.py@25
PS1, Line 25: import logging
flake8: F401 'logging' imported but unused
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 1
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Fri, 21 Jan 2022 19:59:22 +0000
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Wenzhe Zhou (Code Review)" <ge...@cloudera.org>.
Wenzhe Zhou has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 4: Code-Review+1
(2 comments)
Nits in commit message, others looks good.
http://gerrit.cloudera.org:8080/#/c/18168/4//COMMIT_MSG
Commit Message:
http://gerrit.cloudera.org:8080/#/c/18168/4//COMMIT_MSG@24
PS4, Line 24: CDP
nit: CSP
http://gerrit.cloudera.org:8080/#/c/18168/4//COMMIT_MSG@30
PS4, Line 30: CDP
nit: CSP
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 4
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Comment-Date: Mon, 24 Jan 2022 17:44:43 +0000
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 6: Verified-1
Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/7756/
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 6
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Comment-Date: Tue, 25 Jan 2022 00:57:08 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 6:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7756/ DRY_RUN=false
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 6
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Comment-Date: Mon, 24 Jan 2022 18:20:26 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Andrew Sherman (Code Review)" <ge...@cloudera.org>.
Hello Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/18168
to look at the new patch set (#2).
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
IMPALA-11078 Add simple CSP header to webui.
Content Security Policy (CSP) is a computer security standard designed
to prevent cross-site scripting, clickjacking and other code injection
attacks. CSP provides a method for websites to declare approved origins
of content that browsers should be allowed to load on that website.
A good resource is https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If a page breaks the rules then the included script or css will
typically not be run by the browser.
In the Impala webui we use a CSP header to declare that all web content
comes from the impalad, with some 'unsafe' inline code.
A new server flag "--disable_content_security_policy_header=true" can be
set to disable the emission of this header in case of any compatibility
issues.
A few small changes were needed to make this CDP header work. Chart.js
was previously included via http, this was changed to being bundled
like other javascript and css we use. Some dodgy array code that
handles connection metrics was also fixed.
TESTING:
The main webui tests all now validate the CDP header is present.
A test for the new flag is also added.
Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
---
M be/src/util/webserver.cc
M tests/custom_cluster/test_web_pages.py
M tests/webserver/test_web_pages.py
A www/Chart-2.7.3.min.js
M www/admission_controller.tmpl
M www/rpcz.tmpl
6 files changed, 62 insertions(+), 24 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/18168/2
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 2
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Andrew Sherman (Code Review)" <ge...@cloudera.org>.
Hello Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/18168
to look at the new patch set (#3).
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
IMPALA-11078 Add simple CSP header to webui.
Content Security Policy (CSP) is a computer security standard designed
to prevent cross-site scripting, clickjacking and other code injection
attacks. CSP provides a method for websites to declare approved origins
of content that browsers should be allowed to load on that website.
A good resource is https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If a page breaks the rules then the included script or css will
typically not be run by the browser.
In the Impala webui we use a CSP header to declare that all web content
comes from the impalad, with some 'unsafe' inline code.
A new server flag "--disable_content_security_policy_header=true" can be
set to disable the emission of this header in case of any compatibility
issues.
A few small changes were needed to make this CDP header work. Chart.js
was previously included via http, this was changed to being bundled
like other javascript and css we use. Some dodgy array code that
handles connection metrics was also fixed.
TESTING:
The main webui tests all now validate the CDP header is present.
A test for the new flag is also added.
Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
---
M be/src/util/webserver.cc
M tests/custom_cluster/test_web_pages.py
M tests/webserver/test_web_pages.py
A www/Chart-2.7.3.min.js
M www/admission_controller.tmpl
M www/rpcz.tmpl
6 files changed, 62 insertions(+), 24 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/18168/3
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 3
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 2:
Build Failed
https://jenkins.impala.io/job/gerrit-code-review-checks/10030/ : Initial code review checks failed. See linked job for details on the failure.
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 2
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Fri, 21 Jan 2022 20:28:44 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/18168 )
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
Patch Set 6:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7761/ DRY_RUN=false
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 6
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>
Gerrit-Comment-Date: Tue, 25 Jan 2022 16:22:44 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.
Posted by "Andrew Sherman (Code Review)" <ge...@cloudera.org>.
Hello Wenzhe Zhou, Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/18168
to look at the new patch set (#5).
Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................
IMPALA-11078 Add simple CSP header to webui.
Content Security Policy (CSP) is a computer security standard designed
to prevent cross-site scripting, clickjacking and other code injection
attacks. CSP provides a method for websites to declare approved origins
of content that browsers should be allowed to load on that website.
A good resource is https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If a page breaks the rules then the included script or css will
typically not be run by the browser.
In the Impala webui we use a CSP header to declare that all web content
comes from the impalad, with some 'unsafe' inline code.
A new server flag "--disable_content_security_policy_header=true" can be
set to disable the emission of this header in case of any compatibility
issues.
A few small changes were needed to make this CSP header work. Chart.js
was previously included via http, this was changed to being bundled
like other javascript and css we use. Some dodgy array code that
handles connection metrics was also fixed.
TESTING:
The main webui tests all now validate the CSP header is present.
A test for the new flag is also added.
Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
---
M LICENSE.txt
M be/src/util/webserver.cc
M bin/rat_exclude_files.txt
M tests/custom_cluster/test_web_pages.py
M tests/webserver/test_web_pages.py
A www/Chart-2.7.3.min.js
M www/admission_controller.tmpl
M www/rpcz.tmpl
8 files changed, 86 insertions(+), 24 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/18168/5
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 5
Gerrit-Owner: Andrew Sherman <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Wenzhe Zhou <wz...@cloudera.com>