You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2017/10/13 06:40:00 UTC
[jira] [Comment Edited] (HIVE-17679) http-generic-click-jacking for
WebHcat server
[ https://issues.apache.org/jira/browse/HIVE-17679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16203112#comment-16203112 ]
Thejas M Nair edited comment on HIVE-17679 at 10/13/17 6:39 AM:
----------------------------------------------------------------
FYI , HIVE-13853 adds ability to introduce X-XSRF-Header through config option for both HS2 (thrift http requests) and webhcat. If that is enabled, then requests from UI (browser) cannot be sent as they can't add this custom header to the requests.
was (Author: thejas):
FYI , HIVE-13853 adds ability to introduce X-XSRF-Header through config option for both HS2 (thrift http requests) and webhcat. If that is enabled, then requests from UI cannot be sent as they can't add this custom header to the requests.
> http-generic-click-jacking for WebHcat server
> ---------------------------------------------
>
> Key: HIVE-17679
> URL: https://issues.apache.org/jira/browse/HIVE-17679
> Project: Hive
> Issue Type: Bug
> Components: Security, WebHCat
> Affects Versions: 2.1.1
> Reporter: Aihua Xu
> Assignee: Aihua Xu
> Fix For: 3.0.0
>
> Attachments: HIVE-17679.1.patch, HIVE-17679.2.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)