You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by pr...@apache.org on 2017/08/16 00:21:57 UTC
[5/7] zeppelin git commit: [ZEPPELIN-2765] Configurable
X-FRAME-OPTIONS for Zeppelin
[ZEPPELIN-2765] Configurable X-FRAME-OPTIONS for Zeppelin
### What is this PR for?
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are "DENY", "SAMEORIGIN", or "ALLOW-FROM uri"
### What type of PR is it?
[Bug Fix | Improvement ]
### What is the Jira issue?
* [ZEPPELIN-2765](https://issues.apache.org/jira/browse/ZEPPELIN-2765)
### How should this be tested?
The application (Zeppelin) loads in iframe. Put below code in a html file and open in browser:
<iframe src="{http_proto}://{zeppelin_host}:{zeppelin_port}/#/" width="100%" height="600"></iframe>
Author: krishna-pandey <kr...@gmail.com>
Closes #2482 from krishna-pandey/ZEPPELIN-2765 and squashes the following commits:
948d9c0e9 [krishna-pandey] Removed hyphen from the value
518f1a4a2 [krishna-pandey] Configurable X-FRAME-OPTIONS for Zeppelin
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/d2907b5c
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/d2907b5c
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/d2907b5c
Branch: refs/heads/branch-0.7
Commit: d2907b5c14adeb9d626cec54ca10ea4d82fa73c2
Parents: fc02cdb
Author: krishna-pandey <kr...@gmail.com>
Authored: Wed Jul 12 11:30:58 2017 +0530
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:08:34 2017 -0700
----------------------------------------------------------------------
conf/zeppelin-site.xml.template | 7 +++++++
.../src/main/java/org/apache/zeppelin/server/CorsFilter.java | 1 +
.../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java | 7 +++++++
3 files changed, 15 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 85341c3..c7c878b 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -335,5 +335,12 @@
<description>Hardcoding Application Server name to Prevent Fingerprinting</description>
</property>
-->
+<!--
+<property>
+ <name>zeppelin.server.xframe.options</name>
+ <value>SAMEORIGIN</value>
+ <description>The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame/iframe/object.</description>
+</property>
+-->
</configuration>
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
index 3fccf1f..d29af7b 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
@@ -80,6 +80,7 @@ public class CorsFilter implements Filter {
DateFormat fullDateFormatEN =
DateFormat.getDateTimeInstance(DateFormat.FULL, DateFormat.FULL, new Locale("EN", "en"));
response.addHeader("Date", fullDateFormatEN.format(new Date()));
+ response.addHeader("X-FRAME-OPTIONS", ZeppelinConfiguration.create().getXFrameOptions());
}
@Override
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 97ad60d..d2bb648 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -479,6 +479,12 @@ public class ZeppelinConfiguration extends XMLConfiguration {
return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME);
}
+
+ public String getXFrameOptions() {
+ return getString(ConfVars.ZEPPELIN_SERVER_XFRAME_OPTIONS);
+ }
+
+
public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf,
ConfigurationKeyPredicate predicate) {
Map<String, String> configurations = new HashMap<>();
@@ -622,6 +628,7 @@ public class ZeppelinConfiguration extends XMLConfiguration {
ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true),
ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
+ ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options", "SAMEORIGIN"),
ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null);
private String varName;