You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/01/26 00:21:00 UTC

[jira] [Commented] (IMPALA-11078) Webui should return a Content-Security-Policy header

    [ https://issues.apache.org/jira/browse/IMPALA-11078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17482155#comment-17482155 ] 

ASF subversion and git services commented on IMPALA-11078:
----------------------------------------------------------

Commit b96439f6806731d2b3cac84d0252f2b4c73aca7f in impala's branch refs/heads/master from Andrew Sherman
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=b96439f ]

IMPALA-11078 Add simple CSP header to webui.

Content Security Policy (CSP) is a computer security standard designed
to prevent cross-site scripting, clickjacking and other code injection
attacks. CSP provides a method for websites to declare approved origins
of content that browsers should be allowed to load on that website.
A good resource is https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If a page breaks the rules then the included script or css will
typically not be run by the browser.

In the Impala webui we use a CSP header to declare that all web content
comes from the impalad, with some 'unsafe' inline code.

A new server flag "--disable_content_security_policy_header=true" can be
set to disable the emission of this header in case of any compatibility
issues.

A few small changes were needed to make this CSP header work. Chart.js
was previously included via http, this was changed to being bundled
like other javascript and css we use. Some dodgy array code that
handles connection metrics was also fixed.

TESTING:
  The main webui tests all now validate the CSP header is present.
  A test for the new flag is also added.

Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Reviewed-on: http://gerrit.cloudera.org:8080/18168
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Webui should return a Content-Security-Policy header
> ----------------------------------------------------
>
>                 Key: IMPALA-11078
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11078
>             Project: IMPALA
>          Issue Type: Bug
>            Reporter: Andrew Sherman
>            Assignee: Andrew Sherman
>            Priority: Major
>
> The Content-Security-Policy header  provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website.  This can help to prevent cross-site scripting (XSS) attacks.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org