You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Neil Conway (JIRA)" <ji...@apache.org> on 2016/04/20 16:24:25 UTC
[jira] [Commented] (MESOS-5219) Add security headers to HTTP
response
[ https://issues.apache.org/jira/browse/MESOS-5219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15249981#comment-15249981 ]
Neil Conway commented on MESOS-5219:
------------------------------------
[~dlaidlaw] -- thanks for the report. I'm not very familiar with XSS attacks or click jacking -- can you describe a hypothetical scenario in which Mesos would be involved in such an attack, and how the headers you suggest adding would prevent the attack?
> Add security headers to HTTP response
> -------------------------------------
>
> Key: MESOS-5219
> URL: https://issues.apache.org/jira/browse/MESOS-5219
> Project: Mesos
> Issue Type: Improvement
> Components: HTTP API
> Reporter: Don Laidlaw
>
> Cross site scripting and click jacking are major concerns. Many issues can be resolved by setting some headers in the HTTP responses for the user interface and rest responses for both the master and slave processes.
> X-Frame-Options: Can be set to deny, sameorigin, or allow-from <uri>
> X-XSS-Protection: 1; mode=block
> These would go a long way to making sites using mesos more secure. Note that the user exploiting attacks does not need to have access to the mesos hosts, they are attacked through a user's web browser. So if the user can connect to both mesos and the internet, it is an issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)