You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Tamas Mate (Jira)" <ji...@apache.org> on 2022/04/07 12:32:00 UTC
[jira] [Closed] (IMPALA-10201) WebUI CSP best practice
[ https://issues.apache.org/jira/browse/IMPALA-10201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tamas Mate closed IMPALA-10201.
-------------------------------
Resolution: Fixed
> WebUI CSP best practice
> -----------------------
>
> Key: IMPALA-10201
> URL: https://issues.apache.org/jira/browse/IMPALA-10201
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
> Affects Versions: Impala 4.0.0
> Reporter: Tamas Mate
> Assignee: Tamas Mate
> Priority: Minor
> Labels: newbie, ramp-up
>
> The Debug WebUI currently supports only the {{X-Frame-Options}} header, which is necessary due to backward compatibility, however in the future it will be replaced by the Content Security Policy’s {{frame-ancestors}} directive:
> {quote}Content Security Policy’s frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored [[w3.org]|https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options].
> {quote}
> {quote}As described in Section 2.3.2.2, not all browsers implement X-Frame-Options in exactly the same way, which can lead to unintended results. And, given that the "X-" construction is deprecated [RFC6648], the X-Frame-Options header field will be replaced in the future by the Frame-Options directive in the Content Security Policy (CSP) version 1.1 [CSP-1-1]. [[RFC 7034]|https://www.ietf.org/rfc/rfc7034.txt]
> {quote}
> CSP's {{frame-ancestor}} header should be implemented to adhere the current security best practices and depending on a deprecated feature in the future.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org