You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2016/01/08 16:38:39 UTC
[jira] [Commented] (HADOOP-12234) Web UI Framable Page
[ https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15089358#comment-15089358 ]
Steve Loughran commented on HADOOP-12234:
-----------------------------------------
reviewing this, I am pleased to see that we don't need to care about IE7 any more. Which is good, as nobody was going to test it anyway.
a filter in hadoop-common seems the best place for it. The main issue is: what turns it on and where? I'm with Haohui here: make it something projects explicitly turn on/off if they choose. HDFS's needs "part of a management console" are different from a YARN app where that's not a perceived use case.
On that topic, we'd probably recommend that YARN apps use it too, wouldn't we? Or at least have the RM proxy add it when filtering requests, which would give it to the apps automatically.
> Web UI Framable Page
> --------------------
>
> Key: HADOOP-12234
> URL: https://issues.apache.org/jira/browse/HADOOP-12234
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Appy
> Assignee: Appy
> Attachments: HADOOP-12234-v2-master.patch, HADOOP-12234-v3-master.patch, HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)