You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Khazar Mammadli (Code Review)" <ge...@cloudera.org> on 2022/07/13 17:40:14 UTC
[kudu-CR] [www] Add CSP header to web UI
Khazar Mammadli has posted comments on this change. ( http://gerrit.cloudera.org:8080/18285 )
Change subject: [www] Add CSP header to web UI
......................................................................
Patch Set 1:
(3 comments)
http://gerrit.cloudera.org:8080/#/c/18285/1//COMMIT_MSG
Commit Message:
PS1:
> Does it make sense to add a test into webserver-test.cc to check for the pr
I think this should be possible, a unit test would suffice just by knowing that the response contains a content security policy, but any kind of real csp checking is needed to be done through graphical user interface
http://gerrit.cloudera.org:8080/#/c/18285/1/src/kudu/server/webserver.cc
File src/kudu/server/webserver.cc:
http://gerrit.cloudera.org:8080/#/c/18285/1/src/kudu/server/webserver.cc@684
PS1, Line 684: Content-Security-Policy
> Does it make sense to add a kill-switch flag to disable adding the CSP head
Don't think that adding the header might cause an issue, but it is a good idea to have a control knob to fall back to just in case
http://gerrit.cloudera.org:8080/#/c/18285/1/src/kudu/server/webserver.cc@685
PS1, Line 685: sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
> What function/element is this for?
CSP blocks the inline styles when its enabled, this is a workaround to be able to use them.
Style-src defines valid sources of stylesheets or CSS, and 'self' allows for the usage of the files contained in the www folder.
We have kudu.css, bootstrap.min.css , bootstrap-table.min.css marked as stylesheet so any modifications to them will result in a change of this hash to my understanding.
The easiest way to get the hash is from the developer console of the browser/js console, it results in an error and shares the said hash in the error message. There are other ways to generate this hash code(such as openssl/some other online tools), but I haven't been able to get this exact hash as of now, only through the error console
--
To view, visit http://gerrit.cloudera.org:8080/18285
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I411d8f4ca079bfd5584f563aeeaa867833eb1106
Gerrit-Change-Number: 18285
Gerrit-PatchSet: 1
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Andrew Wong <an...@g.ucla.edu>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Khazar Mammadli <ma...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Wed, 13 Jul 2022 17:40:14 +0000
Gerrit-HasComments: Yes