You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@storm.apache.org by "Tibor Kiss (JIRA)" <ji...@apache.org> on 2016/07/20 12:58:20 UTC

[jira] [Updated] (STORM-1989) X-Frame-Options support for Storm UI

     [ https://issues.apache.org/jira/browse/STORM-1989?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tibor Kiss updated STORM-1989:
------------------------------
    Issue Type: Improvement  (was: Bug)

> X-Frame-Options support for Storm UI
> ------------------------------------
>
>                 Key: STORM-1989
>                 URL: https://issues.apache.org/jira/browse/STORM-1989
>             Project: Apache Storm
>          Issue Type: Improvement
>          Components: storm-core
>            Reporter: Tibor Kiss
>            Priority: Minor
>              Labels: security
>
> Cross Frame Scripting (XFS) vulnerability enables an attacker to load malicious code inside a HTTP frame. See more details [here|https://www.owasp.org/index.php/Cross_Frame_Scripting].
> The fix for the vulnerability is trivial: 
> The X-Frame-Options HTTP Header entry needs to be passed to the browser. Further details can be found [here|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options].
> Currently the X-Frame-Options field is not passed to the browser through Storm UI. 
> The implementation for this fix would enable the Storm Administrator to set the X-Frame-Options field through a storm config parameter: 
> ui.http.x-frame-options
> The parameter would have three possible values which would reflect X-Frame-Option's possible values.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)