You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Elek, Marton (JIRA)" <ji...@apache.org> on 2017/10/21 20:09:00 UTC

[jira] [Created] (HDFS-12693) Ozone: Enable XFrame options for KSM/SCM web ui

Elek, Marton created HDFS-12693:
-----------------------------------

             Summary: Ozone: Enable XFrame options for KSM/SCM web ui
                 Key: HDFS-12693
                 URL: https://issues.apache.org/jira/browse/HDFS-12693
             Project: Hadoop HDFS
          Issue Type: Sub-task
          Components: ozone
    Affects Versions: HDFS-7240
            Reporter: Elek, Marton
            Assignee: Elek, Marton


According to the discussion about security checklist on dev list I started to check the security features of the existing HttpServer2 and found that by default the XFrame option headers are disabled. This patch enables it by default for SCM/KSM server similar to the Namenode/Datanode webui. 

(Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel form, I think it's a good practice to enable it by default.)

Test:

Without the patch (clean build, SCM ui):

{code}
 curl -v localhost:9876/jmx -o /dev/null                                                                                                                                       * TCP_NODELAY set
* Connected to localhost (::1) port 9876 (#0)
> GET /jmx HTTP/1.1
> Host: localhost:9876
> User-Agent: curl/7.55.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sat, 21 Oct 2017 19:54:43 GMT
< Cache-Control: no-cache
< Expires: Sat, 21 Oct 2017 19:54:43 GMT
< Date: Sat, 21 Oct 2017 19:54:43 GMT
< Pragma: no-cache
< Content-Type: application/json; charset=utf8
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Origin: *
< Transfer-Encoding: chunked
{code}

With the patch:
{code}
curl -v localhost:9876/jmx -o /dev/null                                                                                                                                     * Connected to localhost (::1) port 9876 (#0)
> GET /jmx HTTP/1.1
> Host: localhost:9876
> User-Agent: curl/7.55.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sat, 21 Oct 2017 19:55:07 GMT
< Cache-Control: no-cache
< Expires: Sat, 21 Oct 2017 19:55:07 GMT
< Date: Sat, 21 Oct 2017 19:55:07 GMT
< Pragma: no-cache
< Content-Type: application/json; charset=utf8
< X-FRAME-OPTIONS: SAMEORIGIN
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Origin: *
< Transfer-Encoding: chunked
{code}

Note: X-FRAME-OPTIONS header exists at the second case.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org