You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by "P. Taylor Goetz (JIRA)" <ji...@apache.org> on 2016/07/22 21:06:20 UTC
[jira] [Resolved] (STORM-1989) X-Frame-Options support for Storm UI
[ https://issues.apache.org/jira/browse/STORM-1989?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
P. Taylor Goetz resolved STORM-1989.
------------------------------------
Resolution: Fixed
Fix Version/s: 1.1.0
1.0.2
0.10.2
Thanks [~tibor.kiss]. Merged to 0.10.x/1.0.x/1.1.x.
> X-Frame-Options support for Storm UI
> ------------------------------------
>
> Key: STORM-1989
> URL: https://issues.apache.org/jira/browse/STORM-1989
> Project: Apache Storm
> Issue Type: Improvement
> Components: storm-core
> Reporter: Tibor Kiss
> Priority: Minor
> Labels: security
> Fix For: 0.10.2, 1.0.2, 1.1.0
>
>
> Cross Frame Scripting (XFS) vulnerability enables an attacker to load malicious code inside a HTTP frame. See more details [here|https://www.owasp.org/index.php/Cross_Frame_Scripting].
> The fix for the vulnerability is trivial:
> The X-Frame-Options HTTP Header entry needs to be passed to the browser. Further details can be found [here|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options].
> Currently the X-Frame-Options field is not passed to the browser through Storm UI.
> The implementation for this fix would enable the Storm Administrator to set the X-Frame-Options field through a storm config parameter:
> ui.http.x-frame-options
> The parameter would have three possible values which would reflect X-Frame-Option's possible values.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)