You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by pr...@apache.org on 2017/08/16 00:21:57 UTC

[5/7] zeppelin git commit: [ZEPPELIN-2765] Configurable X-FRAME-OPTIONS for Zeppelin

[ZEPPELIN-2765] Configurable X-FRAME-OPTIONS for Zeppelin

### What is this PR for?
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are "DENY", "SAMEORIGIN", or "ALLOW-FROM uri"

### What type of PR is it?
[Bug Fix | Improvement ]

### What is the Jira issue?
* [ZEPPELIN-2765](https://issues.apache.org/jira/browse/ZEPPELIN-2765)

### How should this be tested?
The application (Zeppelin) loads in iframe. Put below code in a html file and open in browser:
<iframe src="{http_proto}://{zeppelin_host}:{zeppelin_port}/#/" width="100%" height="600"></iframe>

Author: krishna-pandey <kr...@gmail.com>

Closes #2482 from krishna-pandey/ZEPPELIN-2765 and squashes the following commits:

948d9c0e9 [krishna-pandey] Removed hyphen from the value
518f1a4a2 [krishna-pandey] Configurable X-FRAME-OPTIONS for Zeppelin


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/d2907b5c
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/d2907b5c
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/d2907b5c

Branch: refs/heads/branch-0.7
Commit: d2907b5c14adeb9d626cec54ca10ea4d82fa73c2
Parents: fc02cdb
Author: krishna-pandey <kr...@gmail.com>
Authored: Wed Jul 12 11:30:58 2017 +0530
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:08:34 2017 -0700

----------------------------------------------------------------------
 conf/zeppelin-site.xml.template                               | 7 +++++++
 .../src/main/java/org/apache/zeppelin/server/CorsFilter.java  | 1 +
 .../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java  | 7 +++++++
 3 files changed, 15 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 85341c3..c7c878b 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -335,5 +335,12 @@
     <description>Hardcoding Application Server name to Prevent Fingerprinting</description>
 </property>
 -->
+<!--
+<property>
+  <name>zeppelin.server.xframe.options</name>
+  <value>SAMEORIGIN</value>
+  <description>The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame/iframe/object.</description>
+</property>
+-->
 
 </configuration>

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
index 3fccf1f..d29af7b 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
@@ -80,6 +80,7 @@ public class CorsFilter implements Filter {
     DateFormat fullDateFormatEN =
         DateFormat.getDateTimeInstance(DateFormat.FULL, DateFormat.FULL, new Locale("EN", "en"));
     response.addHeader("Date", fullDateFormatEN.format(new Date()));
+    response.addHeader("X-FRAME-OPTIONS", ZeppelinConfiguration.create().getXFrameOptions());
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 97ad60d..d2bb648 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -479,6 +479,12 @@ public class ZeppelinConfiguration extends XMLConfiguration {
     return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME);
   }
 
+
+  public String getXFrameOptions() {
+    return getString(ConfVars.ZEPPELIN_SERVER_XFRAME_OPTIONS);
+  }
+
+
   public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf,
                                                 ConfigurationKeyPredicate predicate) {
     Map<String, String> configurations = new HashMap<>();
@@ -622,6 +628,7 @@ public class ZeppelinConfiguration extends XMLConfiguration {
     ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true),
     ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
     ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
+    ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options", "SAMEORIGIN"),
     ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null);
 
     private String varName;