You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by "Dmytro Kondriukov (Jira)" <ji...@apache.org> on 2020/03/17 16:58:00 UTC
[jira] [Created] (DRILL-7646) Resources types: *.ttf and
data:image/gif received without response headers
Dmytro Kondriukov created DRILL-7646:
----------------------------------------
Summary: Resources types: *.ttf and data:image/gif received without response headers
Key: DRILL-7646
URL: https://issues.apache.org/jira/browse/DRILL-7646
Project: Apache Drill
Issue Type: Bug
Affects Versions: 1.17.0
Reporter: Dmytro Kondriukov
*Preconditions:*
drill-override.conf
{noformat}
drill.exec: {
cluster-id: "drillbits1",
zk.connect: "localhost:5181"
impersonation: {
enabled: true,
max_chained_user_hops: 3
},
security: {
auth.mechanisms : ["PLAIN"],
},
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "pam4j",
pam_profiles: [ "sudo", "login" ]
}
http: {
ssl_enabled: true,.
jetty.server.response.headers: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Strict-Transport-Security": "max-age=31536000;includeSubDomains",
"Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
}
}
}
{noformat}
Steps:
# Open in Browser console tab "network"
# Inspect web resources for presence response headers:
* X-XSS-Protection
* X-Content-Type-Options
* Strict-Transport-Security
* Content-Security-Policy
*Expected result:* all resources are having tested headers
*Actual result:* Drillbit Web-IU send *.ttf and data:image/gif without response header
and some *.woff resources when user performed logout.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)